Docker Community Forums

Share and learn in the Docker community.

Self-signed private registry: Error ==> certificate signed by unknown authority

docker

(Ajnouri) #1

Testing the private registry in my test lab.

Configured the docker node name to resolve with local domain (local BIND server)

The node resolves from other hosts in the system

CLI:/# ping dockerstd1.ajnouri.com
PING dockerstd1.ajnouri.com (192.168.0.149) 56(84) bytes of data.
64 bytes from 192.168.0.149 (192.168.0.149): icmp_seq=1 ttl=64 time=7.30 ms
64 bytes from 192.168.0.149 (192.168.0.149): icmp_seq=2 ttl=64 time=2.35 ms
64 bytes from 192.168.0.149 (192.168.0.149): icmp_seq=3 ttl=64 time=21.2 ms
^C
dockerstd1.ajnouri.com ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.352/10.310/21.271/8.010 ms

CLI:/# ping myregistry.ajnouri.com
PING myregistry.ajnouri.com (192.168.0.149) 56(84) bytes of data.
64 bytes from 192.168.0.149 (192.168.0.149): icmp_seq=1 ttl=64 time=11.1 ms
64 bytes from 192.168.0.149 (192.168.0.149): icmp_seq=2 ttl=64 time=7.39 ms
64 bytes from 192.168.0.149 (192.168.0.149): icmp_seq=3 ttl=64 time=11.4 ms
64 bytes from 192.168.0.149 (192.168.0.149): icmp_seq=4 ttl=64 time=16.9 ms
^C
myregistry.ajnouri.com ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 7.392/11.715/16.902/3.393 ms
CLI:/#
locally on the docker node itself:

[ajn@dockerstd1 ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.0.149 dockerstd1.ajnouri.com dockerstd1
192.168.0.149 myregistry.ajnouri.com myregistry

Created the directories auth & certs
Generated the key & the signed certificate

openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/dockerrepo.key -x509 -days 365 -out certs/dockerrepo.crt -subj /CN=myregistry.ajnouri.com
Generating a 4096 bit RSA private key
…++
…++
writing new private key to ‘certs/dockerrepo.key’


ls -la certs
total 8
drwxrwxr-x. 2 ajn ajn 50 Jan 24 23:41 .
drwx------. 4 ajn ajn 152 Jan 24 23:48 …
-rw-rw-r–. 1 ajn ajn 1822 Jan 24 23:41 dockerrepo.crt
-rw-rw-r–. 1 ajn ajn 3272 Jan 24 23:41 dockerrepo.key

Created /etc/docker/certs.d/myregistry.ajnouri.com:500 directory & copied the dockerrepo.crt as ca.crt

[root@dockerstd1 ajn]# cd /etc/docker/certs.d/myregistry.ajnouri.com:500
[root@dockerstd1 myregistry.ajnouri.com:500]# ls
ca.crt
[root@dockerstd1 myregistry.ajnouri.com:500]#

Pulled registry:2 and generated the password:

docker pull registry:2
docker run --entrypoint htpasswd registry:2 -Bbn test password > auth/htpasswd

[ajn@dockerstd1 ~]$ cat auth/htpasswd
test:$2y$05$/BOR/wulAZPapwcZDIj.LugyqdtyFby29zb9jmblhEbN9tW8hWnV6

[ajn@dockerstd1 ~]$

Run the registry with all the prameters:

[ajn@dockerstd1 ~]$ docker run -d -p 5000:5000 -v /home/ajn/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key -v /home/ajn/auth:/auth -e REGISTRY_AUTH=htpasswd -e REGISTRY_AUTH_HTPASSWD_REALM=“Registry Realm” -e REGISTRY_AUTH_HTPASSWD_PATH=/home/ajn/auth/htpasswd registry:2
2f03cf41e0f05f6d4eee30160af7128a402dd92d6bd4573475b88500b5e02de1
[ajn@dockerstd1 ~]$

pulled busybox

docker pull busybox

Using default tag: latest
latest: Pulling from library/busybox
57310166fe88: Pull complete
Digest: sha256:1669a6aa7350e1cdd28f972ddad5aceba2912f589f19a090ac75b7083da748db
Status: Downloaded newer image for busybox:latest

Tagged it

docker tag busybox myregistry.ajnouri.com:5000/my-busybox
[ajn@dockerstd1 ~]$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 5b0d59026729 31 hours ago 1.15MB
myregistry.ajnouri.com:5000/my-busybox latest 5b0d59026729 31 hours ago 1.15MB
registry 2 d1fd7d86a825 2 weeks ago 33.3MB

So far it looks OK.


But when I try to log:

docker login myregistry.ajnouri.com:5000/my-busybox
Username: test
Password:
Error response from daemon: Get https://myregistry.ajnouri.com:5000/v2/: x509: certificate signed by unknown authority


(Eldeberde) #2

Hi, in the client can you do that:

Copy certificate to

/usr/local/share/ca-certificates/.

run command: update-ca-certificates && service docker restart

Regards


(Ajnouri) #3

Thanks for your reply @eldeberde.

Ok, solved the issue. I 've tried to spot all issues I encountered and it was a conglomerate : )

1)Error in the directory name containing the certifiate: no need to escape ":"
2)After each change in the certrificate, I didn’t restart docker daemon.
3)Errors in the variables passed to registry container: REGISTRY_AUTH_HTPASSWD_PATH need to refer to container path not docker node path ( /auth/htpasswd NOT /home/ajn/auth/htpasswd)


[ajn@dockerstd1 ~]$ docker login myregistry.ajnouri.com:5000/my-busybox

Username: test
Password:
Login Succeeded