Share and learn in the Docker community.
Running
curl -k -X GET https://<reg_host>:5000/v2/_catalog
I get
{"repositories":["ubuntu"]}
Running
curl -k -s -X GET https://<reg_host>:5000/v2/_catalog | jq '.repositories[]' | sort | \ xargs -I _ curl -s -k -X GET https://<reg_host>:5000/v2/_/tags/list
I get
{"name":"ubuntu","tags":["latest"]}
How can I find out the digest for ubuntu:latest for deletion with
curl -v -X DELETE http://<reg_host>:5000/v2/ubuntu/manifests/<digest>
I don’t know if you could do that without pulling the image, but you can pull the image and use docker container inspect to get the digest.
Thanks. I now run in to another problem with cert SAN.
x509: certificate relies on legacy Common Name field, use SANs instead
I have tried multiple suggestions to create new certs and keys with additional names, but have had no luck.
If you’d shared your actual commands instead, we might want spotted the issue.
Note: you need to make sure the domain(s)/ip(s) you use to access the service are listed as Subject Alternative Name (SAN) in your x509 certificates used for https. The common name (CN) was deprected long time ago for https usage and nowadays most cllient implementions ignore it and require a SAN that matches your access url instead.
Thans meyay,
Here are the commands (host and domain set to my system and I also tried with the exact host name instead of the wildcard):
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=US/L=Loc/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=US/L=Loc/O=Acme, Inc./CN=*.domain.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:domain.com,DNS:host.domain.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Are you sure your final certifcate even has the SAN - I am asking as it would surprise me as the CSR needs to have the SAN already.
When I created self signed certificates with SAN, I always used an approach like this: Know about SAN Certificate and How to Create With OpenSSL. But apparently it can be done purely from the command like as well: certificates - Provide subjectAltName to openssl directly on the command line - Information Security Stack Exchange
Like I wrote: CN was deprecated long time ago, but was latetly started to be enforced in most programming languages/libraries - you need to get your “subjectAltName” in order.
If I am not mistaken, then openssl x509 -in server.crt -text -noout will have not show this infromation:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:domain.com, DNS:host.domain.com
Before you ask how to fix it_ take a look at the links I shared above.
Thanks again.
I know have the SANs in the cert.
openssl x509 -in server.crt -text -noout | grep -i dns
DNS:example.com, DNS:rmt.example.com
I still get the SAN error.
docker --tlscert ./server.crt pull rmt.example.com:5000/ubuntu:latest
Error response from daemon: Get "https://rmt.example.com:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs instead