Docker Community Forums

Share and learn in the Docker community.

Docker login got FATA[0010]


(Tracyliu) #1

I installed docker trusted registry (DTR) by following https://docs.docker.com/docker-trusted-registry/install/#download-the-commercially-supported-docker-engine-installation-script .
For the key/certificate, I didn’t set my own key, just used whatever DTR set by default.
Also I set the Domain name to DTR machine’s ip address. Because I found my docker client has problem to access DTR using domain name dtr..com, but it can access DTR machine using IP.
I added user admin/password as admin via DTR admin UI->Settings->Auth. I can login admin UI using this account with no problem.

Now I am following https://docs.docker.com/docker-trusted-registry/quick-start/ on DTR machine.
I pulled jenkins image from docker hub and built dtr.yourdomain.com/ci-infrastructure/jnkns-img, without setting SSL.
When I trying to push image to DTR, I failed to login docker. The commands I used were:

//download DTR server certificate
openssl s_client -connect 172.16.12.116:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee -a /tmp/tracy/server.pem

//mkdir /etc/docker/certs.d/172.16.12.116
//copy the certificate to /etc/docker/certs.d/172.16.12.116/ca.crt
cp /tmp/tracy/server.pem /etc/docker/certs.d/172.16.12.116/ca.crt

docker login 172.16.12.116
Username: admin
Password: xxxxxxxx
email: (blank, because I don’t see any place to set email when adding admin user via DTR admin UI’s Settings->Auth)

Then I got this error:
FATA[0004] Error response from daemon: v1 ping attempt failed with error: Get https ://172.16.12.116/v1/_ping:
x509: cannot validate certificate for 172.16.12.116 because it doesn’t contain any IP SANs. If this private re
gistry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry 172.16.12.1 16 to the daemon’s arguments. In the case of HTTPS, if you have access to the registry’s CA certificate, no n
eed for the flag; simply place the CA certificate at /etc/docker/certs.d/172.16.12.116/ca.crt

I have two questions,

  1. I have put ca.crt to /etc/docker/certs.d/172.16.12.116/ca.crt, why can’t docker get it?

  2. I installed DTR which is V2 registry, why it is trying to Get https ://172.16.12.116/v1/_ping?
    In my previous topic, I have reported /v1/_ping not working in DTR and got reply from Jeff. He said that this API was specifically used by V1 registry, and DTR is V2. So I don’t understand how this “…Get https ://172.16.12.116/v1/_ping…” error happened.

Thanks!

(I inserted three spaces in three links, because the website said I am new user and only allowed me to have 2 links in post)


(Tracyliu) #2

I tried to curl API /v2 on another machine (not the DTR machine), and I got 401 Unauthorized.

I have downloaded DTR server certificate:
openssl s_client -connect 172.16.12.116:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee -a /tmp/tracy/server.pem

And used this certificate and admin account in the curl request:
curl --cacert /tmp/tracy/server.pem --user admin:password https://172.16.12.116/v2/

I got this response:
{“errors”:[{“code”:“UNAUTHORIZED”,“message”:“access to the requested resource is not authorized”,“detail”:null}]}

I am wondering this error is sth. related to the docker login failure too?