Docker Community Forums

Share and learn in the Docker community.

Problem with TLS for registry


(Awardsolutionsuser) #1

Trying to create remote docker registry on GCP (ubuntu 16.04) and docker login to registry from local client (ubuntu 16.04) with TLS.
Followed instructions from https://docs.docker.com/registry/deploying/#run-a-local-registry
both client and remote GCP have Docker version 17.12.0-ce

when first starting remote registry (following instructions above) client gets:
x509: certificate signed by unknown authority
server gets:
remote error: tls: bad certificate

after createing daemon.json file on server for insecure registry and restarting docker service and recreating registry with same command line, client gets:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

server logs show no change.

docker info on server shows:

Labels:
Experimental: false
Insecure Registries:
private-image-repo:443
127.0.0.0/8
Live Restore Enabled: false

created registry container on server with following command line:
docker run -d
–restart=always
–name registry
-v /certs:/certs
-e REGISTRY_HTTP_ADDR=0.0.0.0:443
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
-p 443:443
registry:2.6.2

on client side after creating insecure registry:
docker login private-image-repo:443
Warning: failed to get default registry endpoint from daemon (Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?). Using system default: https:// index.docker.io/v1/
Username: testuser
Password:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

docker registry container running OK and logs OK:
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3df881027cfe registry:2.6.2 “/entrypoint.sh /etc…” 12 minutes ago Up 12 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
ubuntu@private-image-repo:~$ docker logs 3df881027cfe
time=“2018-02-10T18:11:40Z” level=warning msg=“No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable.” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2
time=“2018-02-10T18:11:40Z” level=info msg=“redis not configured” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2
time=“2018-02-10T18:11:40Z” level=info msg=“Starting upload purge in 33m0s” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2
time=“2018-02-10T18:11:40Z” level=info msg=“using inmemory blob descriptor cache” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2
time=“2018-02-10T18:11:40Z” level=info msg=“listening on [::]:443, tls” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2

How can I get docker login working with or without insecure-registry?


(Awardsolutionsuser) #2

finally figured this out on my own:
a. on the client: cp domain.crt to /usr/local/share/ca-certificates/ and update-ca-certificates && service docker restart

b: on server: create daemon.json with insecure-registry stuff. start registry container with following
docker run -d
–restart=always
–name registry
-v /certs:/certs
-v /auth:/auth
-e REGISTRY_HTTP_ADDR=0.0.0.0:443
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
-p 443:443
registry:2.6.2

now remote login/push/pull works correctly