Docker Community Forums

Share and learn in the Docker community.

Spinning my wheels with DTR - Certificates and Remote Login


(Michael Wilde) #1
  • Installed DTR on the root of my domain… say “supernerd.com” (not the domain… but follow me).
  • Have the SSL certs installed and they are valid. How do i know. My browser says they are valid.
  • The DTR web interface works just fine.

Attempt to login to DTR from my laptop results in:

bash-3.2$ docker login supernerd.com
Username: admin
Password:
Email:
Error response from daemon: invalid registry endpoint https://supernerd.com/v0/: unable to ping registry endpoint https://supernerd.com/v0/
v2 ping attempt failed with error: Get https://supernerd.com/v2/: x509: certificate signed by unknown authority
 v1 ping attempt failed with error: Get https://supernerd.com/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry socialsplunk.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/supernerd.com/ca.crt

So… thats odd, becuase GoDaddy is a known CA. So whatever, thats cool. I grab godaddy’s cert, stick in the /etc/docker/certs.d/supernerd.com and call it “ca.crt”. I even run
openssl x509 -in ca.crt -text -noout
just to check. Totally valid. Even restarted DTR and the whole Docker service.

Still failure. Everything in Docker is easy or solveable. This isn’t… why? Any clue?


(Kevin Finley) #2

In the DTR admin, you have to have the intermediate certificate and certificate in the correct order.

You can check this by running “openssl s_client -connect supernerd.com:443 < /dev/null | openssl x509 -text

Correct order is as follows:

-----BEGIN CERTIFICATE-----
Maa92tydhoetd … My certificate …
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Mab3onNNdofd … Intermediate certificate …
-----END CERTIFICATE-----