Private docker registry + Apache Proxy + Self Signed certificate

Docker Engine
1

Hello, we are trying to setup a private registry in our infrastructure.

Our main goal is to delegate the SSL handshake to our corporate Apache proxy (not a docker container), so that any client connecting to the registry uses the proxy to reach the Docker registry, which has a public DNS domain.

Desired Schema: Corporate Apache 2.2 + SSL ----> Docker Registry

We have configured the SSL on the Apache for the Registry’s DNS domain, but any time we connect to it, we cannot connect. We’ve tried with self-signed certs, created with openSSL.

As we didn’t find a good solution, we desperately followed Docker’s official guide here: https://docs.docker.com/registry/recipes/apache, but we still have to use our corporate Apache proxy, without the SSL (our guessing) on that part of the infrastructure, just on the dockerized container provided by Docker guys.

New Schema: Corporate Apache 2.2 ----> (Dockerized Apache ----> Docker Registry)

We are stuck at this point, as we cannot login, push nor pull from the registry.

Any suggestions?

2

I am having the same issue(or same problem).
I have the private registry working, configured with nginx (both registry and nginx are started in container). From our local network anyone can pull/push images: docker pull 10.185.5.106:5043/zookeeper

Now we need to allow the employees from a different country to pull the images.
For that we have to use the company Appache proxy, which is tatata.thecompany.com and the url that I can use:
is tata,thecompany.com/docker_repo

ACTUAL RESULTS:

  1. docker pull tata.thecompany.com/docker_repo/zookeeper

Using default tag: latest
Error response from daemon: Get https://tatata.thecompany.com/v1/_ping: x509: certificate signed by unknown authority

  1. in the browser,
    http://tatata.thecompany.com/docker_repo/v2/_catalog

it is OK
{“repositories”:[“hellofromclient”,“hellofromlocal2”,“zookeper”…]}

  1. in the client:
    docker pull 10.185.5.106:5043/zookeeper

it is OK

STEPS used in SETTINGS

  • docker registry and the docker engine (the client that use docker pull) are on UBUNTU 16 LTS
  • docker engine versions:
    — — for registry: Docker version 1.11.2, build b9f10c9

— — for client Docker version 1.12.1, build 23cf638

  • the compose file that starts docker registry and nginx

nginx:
image: “nginx:1.9”
ports:
- 5043:443
links:
- registry:registry
volumes:
- ./nginx/:/etc/nginx/conf.d:ro

registry:
image: registry:2
ports:
- 127.0.0.1:5000:5000
environment:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
volumes:
- ./data:/data

— sudo cat /etc/docker/daemon.json
{ “insecure-registries”:[ “10.185.5.106:5043”, “tatata.company.com/docker_repo” ] }

— sudo cat /etc/default/docker
DOCKER_OPTS=“–insecure-registry tatata.company.com/docker_repo
DOCKER_OPTS=“–insecure-registry 10.185.5.106:5043”

— sudo mkdir /etc/docker/certs.d/tatata.company.com/

— sudo mkdir /etc/docker/certs.d/tatata.company.com/docker_repo

— put the ca.crt in both folders /etc/docker/certs.d/tatata.company.com/ and /etc/docker/certs.d/tatata.company.com/docker_repo
I tried with the ca.crt created by me, also cat the syste, crt files in the ca.crt and also with ca.crt file from the apache -proxy server (I copied the content from it)

tatata.company.com is the name of our apache proxy server where we externalized other applications
(I am not allowed to publish the real name)

— /docker_repo is used to map 10.185.5.106:5043