I m trying to setup a registry with TLS with a Comodo Wildcard SSL Certificate .
We use an intermediate certificate, so i append as mentionned in the documentation. cat domain.crt intermediate-certificates.pem > certs/domain.crt
On server / registry side, every thing looks great. when i check with my internet browser repository.mycompany.nc:5000, i see that the certificate is valid.
On my docker client, when i try to push an image i still encounter an handshake failure like below:
~ » docker push repository.mycompany.nc:5000/hw
The push refers to repository [repository.mycompany.nc:5000/hw]
Get https://repository.mycompany.nc:5000/v2/: remote error: tls: handshake failure
Any help will be really appreciated.
I can provide more information if needed.
Yep, browsers usualy have the Comodo root CA certificates in their trust store.
The trust store of operating systems rarely do. We do use Comodo TLS certificates in one of our environments as well. RHEL and Ubuntu based system need Comodos root ca to be added to the system’s trust store.
Make sure to add the root CA’s certificate in your os:
Unfortunately, i m still loosing the fight…
it’s working under my windows station but still not working on centOs… i don’t understand what i am missing.
i try to export the certificate from my browser and add it to /etc/pki/ca-trust/source/anchors/
then launch the update-ca-trust
Wget or docker login myrepository still prompt that my certificate is not valid.
Error response from daemon: Get https://myrepository…: x509: certificate signed by unknown authority
May I ask HOW you exported the certificate from your browser?
Is there a reason that you don’t download the certificate files from Comodo directly? Check your certficate in your browser, check which intermediate and root CA is involved and download the .crt-files straingt from Comodo’s support pages. They are linked each at the bottom of the sub-pages.
Show certificate > export as x.509 with chain
i got a file.crt that contains 3 keys, it matchs exaclty the .crt i used in my docker registry container.
I also tried to download ‘all’ crt from comodo support page, but update-ca-trust is silent and i don’t know how to check this operation succeeds.