Docker Community Forums

Share and learn in the Docker community.

Self-signed certificate using domain with docker 1.12.1 does not work. Curl works

docker

(Asmallfurrywombat) #1

hi all…

I’m trying to do a docker push to a private registry service running on docker 1.12.1 swarm. The directions I’m using are at https://docs.docker.com/registry/insecure/#using-self-signed-certificates. The registry service is running with a self-signed certificate and a curl works once the certificate has been registered with the OS (El Capitan) and an entry is added to /etc/hosts:

192.168.99.100 myregistrydomain.com

where 192.168.99.100 is the Tiny Core linux VM which hosts the registry instance.

A curl works.

curl -v --cacert /tmp/certs/cert.pem https: //myregistrydomain.com:5000/v2/_catalog

GET /v2/_catalog HTTP/1.1
Host: myregistrydomain.com:5000
User-Agent: curl/7.43.0
Accept: /

< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
< Date: Fri, 23 Sep 2016 06:45:35 GMT
< Content-Length: 20
<
{“repositories”:[]}

When i try a docker push, however, it fails:

docker pull alpine
docker tag alpine myregistrydomain.com/alpine
docker push myregistrydomain.com/alpine
The push refers to a repository [myregistrydomain.com/alpine]
Get https: //myregistrydomain.com/v1/_ping: dial tcp: lookup myregistrydomain.com on 10.0.2.3:53: no such host

I suspect that the documentation is really just using ‘myregistrydomain.com’ as an example rather than an absolute requirement. I don’t think an engineer would hardwire a specific name into the infrastructure. My suspicion is that ‘myregistrydomain.com’ is hitting the internal docker networking stack and the DNS lacks an entry for it.

That said, I did try using the barebones IP address and, once again, curl was happy but docker balked:

docker push myregistrydomain.com/alpine
The push refers to a repository [192.168.99.100:5000/alpine]
Get https: //192.168.99.100:5000/v1/_ping: x509: certificate signed by unknown authority

I suspect my experiment with myregistrydomain.com isn’t getting this far, unless there is an up-front issue with IP addresses.

Any help would be appreciated… it seems to be a common issue, but Docker is changing rapidly so I’m not sure if earlier attempts are still relevant. I would prefer not to use the insecure flag.

thanks!


(Asmallfurrywombat) #2

Dipped into it again for a bit today. I see some interesting use of dnsmasq to flexibly change the docker DNS, i.e. https://adrianperez.org/improving-dev-environments-all-the-http-things/, but nothing for docker 1.12 swarm mode yet.