When we configure docker registry container with https/TLS , docker clients are throwing “http tls: bad certificate” and this can be mitigated by configuring CA certificate in the docker clients systems.
But this is challenging to pass the CA certificate all over the docker clients where we dont have idea who is using this registry.
So, How do you guys are using registry/pull through cache with HTTPS? Please suggest.
If the container registry is ment to be accessed from a local network only: use a local CA, issue a server certificate using the local CA and use it in your container registry, add the CA’s certificate to the lits of trusted CA’s on the clients, then restart the docker-daemons of the clients.
If the container registry is ment to be accessed from local and public network: use a worldly trusted CA and be good. If you are on a public cloud like aws: let them issue the certificate, assign it to a loadbalancer and let it terrminate TLS. If you are within your own environment: why not use Letsencrypt to issue the certificate?