How to find an image digest for deleting an image from a private registry

peteindockerhub · August 9, 2022, 9:56pm

Running
curl -k -X GET https://<reg_host>:5000/v2/_catalog

I get
{"repositories":["ubuntu"]}

Running
curl -k -s -X GET https://<reg_host>:5000/v2/_catalog | jq '.repositories[]' | sort | \ xargs -I _ curl -s -k -X GET https://<reg_host>:5000/v2/_/tags/list

I get
{"name":"ubuntu","tags":["latest"]}

How can I find out the digest for ubuntu:latest for deletion with
curl -v -X DELETE http://<reg_host>:5000/v2/ubuntu/manifests/<digest>

rimelek · August 10, 2022, 7:55pm

I don’t know if you could do that without pulling the image, but you can pull the image and use docker container inspect to get the digest.

peteindockerhub · August 11, 2022, 8:35am

Thanks. I now run in to another problem with cert SAN.
x509: certificate relies on legacy Common Name field, use SANs instead

I have tried multiple suggestions to create new certs and keys with additional names, but have had no luck.

meyay · August 11, 2022, 4:29pm

If you’d shared your actual commands instead, we might want spotted the issue.

Note: you need to make sure the domain(s)/ip(s) you use to access the service are listed as Subject Alternative Name (SAN) in your x509 certificates used for https. The common name (CN) was deprected long time ago for https usage and nowadays most cllient implementions ignore it and require a SAN that matches your access url instead.

peteindockerhub · August 15, 2022, 12:13pm

Thans meyay,

Here are the commands (host and domain set to my system and I also tried with the exact host name instead of the wildcard):

openssl genrsa -out ca.key 2048

openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=US/L=Loc/O=Acme, Inc./CN=Acme Root CA" -out ca.crt

openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=US/L=Loc/O=Acme, Inc./CN=*.domain.com" -out server.csr

openssl x509 -req -extfile <(printf "subjectAltName=DNS:domain.com,DNS:host.domain.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

meyay · August 15, 2022, 5:04pm

Are you sure your final certifcate even has the SAN - I am asking as it would surprise me as the CSR needs to have the SAN already.

When I created self signed certificates with SAN, I always used an approach like this: Know about SAN Certificate and How to Create With OpenSSL. But apparently it can be done purely from the command like as well: certificates - Provide subjectAltName to openssl directly on the command line - Information Security Stack Exchange

Like I wrote: CN was deprecated long time ago, but was latetly started to be enforced in most programming languages/libraries - you need to get your “subjectAltName” in order.
If I am not mistaken, then openssl x509 -in server.crt -text -noout will have not show this infromation:

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:domain.com, DNS:host.domain.com

Before you ask how to fix it_ take a look at the links I shared above.

peteindockerhub · August 22, 2022, 12:37pm

Thanks again.

I know have the SANs in the cert.

openssl x509 -in server.crt -text -noout | grep -i dns

DNS:example.com, DNS:rmt.example.com

I still get the SAN error.

docker --tlscert ./server.crt  pull rmt.example.com:5000/ubuntu:latest

Error response from daemon: Get "https://rmt.example.com:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs instead