Docker Community Forums

Share and learn in the Docker community.

Docker private registry V2 not accepting TLS connections

insecure-registry

(Guidoilbaldo) #1

Hi,

inside my lab I have a VM running Docker Registry v1 with Nginx and certificates. All works great, but lately I decided to switch to Docker Registry v2. I followed Docker Docs to deploy a v2 Registry with SSL, using same working certificates from my previous installation. This is my final docker run command:
docker run -d -p 5050:5000 --restart=always --name registry -v /registry-storage/dockestryV2:/var/lib/registry -v /auth:/auth -v /certs:/certs -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerRegistry.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dockerRegistry.key registry:2

In /auth I have my htpasswd file with the user enabled to login to v2 Registry and inside /certs I have both crt and key files. Docker comes up and logs show:
time="2016-04-18T12:12:17Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.6.1 instance.id=c28b3735-63a1-421a-b0f5-6334eb1c2347 version=v2.4.0 time="2016-04-18T12:12:17Z" level=info msg="redis not configured" go.version=go1.6.1 instance.id=c28b3735-63a1-421a-b0f5-6334eb1c2347 version=v2.4.0 time="2016-04-18T12:12:17Z" level=info msg="Starting upload purge in 30m0s" go.version=go1.6.1 instance.id=c28b3735-63a1-421a-b0f5-6334eb1c2347 version=v2.4.0 time="2016-04-18T12:12:17Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.6.1 instance.id=c28b3735-63a1-421a-b0f5-6334eb1c2347 version=v2.4.0 time="2016-04-18T12:12:17Z" level=info msg="listening on [::]:5000, tls" go.version=go1.6.1 instance.id=c28b3735-63a1-421a-b0f5-6334eb1c2347 version=v2.4.0

But whenever I try to perform a docker login https://dockestry.gcio.unicredit.eu:5050 I get:
[root@dockestry ~]# docker login https://dockestry.gcio.unicredit.eu:5050 Username: feasy Password: Email: Error response from daemon: invalid registry endpoint https://dockestry.gcio.unicredit.eu:5050/v0/: unable to ping registry endpoint https://dockestry.gcio.unicredit.eu:5050/v0/ v2 ping attempt failed with error: Get https://dockestry.gcio.unicredit.eu:5050/v2/: net/http: TLS handshake timeout v1 ping attempt failed with error: Get https://dockestry.gcio.unicredit.eu:5050/v1/_ping: net/http: TLS handshake timeout. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add–insecure-registry dockestry.gcio.unicredit.eu:5050to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/dockestry.gcio.unicredit.eu:5050/ca.crt

I also put ca.crt file inside the folder mentioned. Logs show:
2016/04/18 12:12:25 http: TLS handshake error from 172.17.42.1:37402: EOF

At this point I tried deploying an insecure registry ad use again the already configured Nginx, to no avail.
[root@dockestry ~]# docker login https://dockestry.gcio.unicredit.eu:5100 Username: feasy Password: Email: Error response from daemon: invalid registry endpoint https://dockestry.gcio.unicredit.eu:5100/v0/: unable to ping registry endpoint https://dockestry.gcio.unicredit.eu:5100/v0/ v2 ping attempt failed with error: Get https://dockestry.gcio.unicredit.eu:5100/v2/: net/http: TLS handshake timeout v1 ping attempt failed with error: Get https://dockestry.gcio.unicredit.eu:5100/v1/_ping: net/http: TLS handshake timeout. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add–insecure-registry dockestry.gcio.unicredit.eu:5100to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/dockestry.gcio.unicredit.eu:5100/ca.crt

Logs show nothing of interest.
time="2016-04-18T12:49:34Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.6.1 instance.id=1317f4c1-1945-4c82-a1cf-6706c541bd9c version=v2.4.0 time="2016-04-18T12:49:34Z" level=info msg="redis not configured" go.version=go1.6.1 instance.id=1317f4c1-1945-4c82-a1cf-6706c541bd9c version=v2.4.0 time="2016-04-18T12:49:34Z" level=info msg="Starting upload purge in 39m0s" go.version=go1.6.1 instance.id=1317f4c1-1945-4c82-a1cf-6706c541bd9c version=v2.4.0 time="2016-04-18T12:49:34Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.6.1 instance.id=1317f4c1-1945-4c82-a1cf-6706c541bd9c version=v2.4.0 time="2016-04-18T12:49:34Z" level=info msg="listening on [::]:5000" go.version=go1.6.1 instance.id=1317f4c1-1945-4c82-a1cf-6706c541bd9c version=v2.4.0

Any help would be much appreciated.
Stefano