Docker Community Forums

Share and learn in the Docker community.

How to bypass the CA trust from docker clients to access the docker registry over https/TLS

Hi,

When we configure docker registry container with https/TLS , docker clients are throwing “http tls: bad certificate” and this can be mitigated by configuring CA certificate in the docker clients systems.

But this is challenging to pass the CA certificate all over the docker clients where we dont have idea who is using this registry.

So, How do you guys are using registry/pull through cache with HTTPS? Please suggest.

If the container registry is ment to be accessed from a local network only: use a local CA, issue a server certificate using the local CA and use it in your container registry, add the CA’s certificate to the lits of trusted CA’s on the clients, then restart the docker-daemons of the clients.

If the container registry is ment to be accessed from local and public network: use a worldly trusted CA and be good. If you are on a public cloud like aws: let them issue the certificate, assign it to a loadbalancer and let it terrminate TLS. If you are within your own environment: why not use Letsencrypt to issue the certificate?

The docs fro setting up self-signed certs mention that you should add the cert to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
I ssh’d into the machine and did that; private registry is working.

Once again lewish95 the Let me Google that for you bot has committed plagiarism. (ref)

Thanks guys for your response.

@lewish95, yes when we copy the ca.crt into the clients machine then registry is working fine.

But i am actually looking for something that can be done without adding ca.crt to the client machines.

I can’t use the Lets encrypt as it is a security breach for our case.

Also when i am trying to pull a image from through this proxy, getting below error:

“level=error msg=“response completed with error” err.code=“manifest unknown” err.detail=“unknown tag=ts.ceosr.latest” err.message=“manifest unknown” go.version=go1.11.2 http.request.host=xxxxxxxxx http.request.id=35aa84b0-62e6-4807-9ac6-30b49814b064 http.request.method=GET http.request.remoteaddr=“xxxxxx:50862” http.request.uri=”/v2/xxxxxx/xxx/manifests/ts.ceosr.latest" http.request.useragent=“docker/19.03.13 go/go1.13.15 git-commit/4484c46d9d kernel/3.10.0-1127.19.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.13 (linux))” http.response.contenttype=“application/json; charset=utf-8” http.response.duration=2.412999409s http.response.status=404 http.response.written=110 vars.name=“xxxx/xx” vars.reference=ts.ceosr.latest
10.85.14.240 - - [02/Dec/2020:08:14:58 +0000] “GET /v2/xx/xx/manifests/ts.ceosr.latest HTTP/1.1” 404 110 “” “docker/19.03.13 go/go1.13.15 git-commit/4484c46d9d kernel/3.10.0-1127.19.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.13 \(linux\))”

Kindly help on this.