Share and learn in the Docker community.
Hi All,
I’m trying docker version 20.10.8 for k8s 1.21, where we are pulling image from private registry.
I’ve placed registry certs to client. still not able to pull image.
Error:
ror response from daemon: Get “https://my-registry.com:1000/v2/”: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
How can we enable common name matching while pulling? anywhere we can specify env variable to docker?
I am also facing same error while login to private harbor registry from Docker CE 20.10.11.
Can anyone please give some pointers to resolve this problem?
Thanks,
Sarang.
You will need to update your certifcate!
It seems it was introcde in 2017 that indeed that CN was deprecated in favor of SAN for TLS connections. A good explaination can be found here:
https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html
So even if you apply the workaround with GODEBUG=x509ignoreCN=0, it will not help on the long run as the “backward compatibility flag” will be eventually removed.
Or you can downgrade docker
Great read! And it even says using CN was deprecated in 2000, and a mandatory fallback to CN followed deprecation in 2011. Wow, I’m pretty sure I was happily installing new certificates that only used CN for a great part of those two decades!
So yeah, while one could probably downgrade Docker, it’s simply really time to get the server side follow the standards.
Oh you are right! Seems between 2011 and 2017 it was more or less ignored until Chrome started in 2017 to take the RFC seriously. Now go simply followed, which affects docker as it’s written in go.