Docker Community Forums

Share and learn in the Docker community.

Tls: failed to parse certificate from server: x509: unsupported elliptic curve


(Renaud) #1

Hello,

I try to build a private registry based on docker/distribution (registry:2). I want to use self-generate certificate to auth docker client to the registry (in fact a private PKI). According to the docs I added my ca.crt to /etc/docker/certs.d/myregistry.net:5000

I also add the CARoot (+ intermediaire) to the trusted keystore on the system.

From the registry perspective, I put a nginx reverse proxy in front of the registry to do the auth.

Now my issue happen when I try to login to the registry:

#docker login  https://myregistry.net:5000/v1/
Username: d
Password:
Email: a
Error response from daemon: invalid registry endpoint https://myregistry.net:5000/v2/: Get https://myregistry.net:5000/v2/: tls: failed to parse certificate from server: x509: unsupported elliptic curve. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry myregistry.net:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/myregistry.net:5000/ca.crt

Here my CA.crt

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer: [obfuscate]
Validity
Not Before: Dec 20 19:45:00 2014 GMT
Not After : Dec 18 13:52:00 2024 GMT
Subject: [obfuscate]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (192 bit)
pub:
04:75:2c:fe:73:8a:78:49:12:1d:2a:7e:77:df:83:
2a:84:0c:60:06:2b:54:16:e2:ca:36:20:33:66:a6:
64:3f:12:39:47:55:a2:5a:19:35:39:b1:04:06:25:
ed:01:9d:f1
ASN1 OID: prime192v1
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
E3:DC:EE:EF:77:EB:63:FD:E5:F6:90:47:CB:4F:41:DB:23:87:3C:00
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
xca certificate
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:1c:0e:9b:b7:be:60:51:88:98:a6:44:e2:e7:ac:
c9:6e:09:e2:10:31:2c:3a:1c:af:a1:5e:63:97:f0:17:42:e5:
02:20:2a:b0:cc:fb:5b:11:99:6d:23:4c:4e:2e:71:fa:2b:cb:
0b:4b:18:94:76:60:da:9e:4b:b4:29:23:43:6c:78:74

and here the certificate use by the registry:

certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: ecdsa-with-SHA256
Issuer: [obfuscate]
Validity
Not Before: Oct 4 17:49:00 2015 GMT
Not After : Oct 3 17:49:00 2016 GMT
Subject: [obfuscate]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c6:af:90:8a:58:30:32:8a:fb:7a:c2:40:d0:27:
6c:b9:41:d1:a2:5c:c1:49:bd:6d:df:06:8f:29:6b:
a0:b6:5a:7f:df:7a:7f:24:5d:7d:5b:2d:87:c0:e5:
97:be:38:e0:10:17:e4:b6:b9:c6:c4:42:a9:db:2d:
47:8e:db:e8:3a:7a:a0:f0:20:14:b3:f5:65:20:c4:
3e:33:e1:9c:5a:a2:04:8e:66:9e:22:98:d9:e0:19:
49:7b:ba:50:07:77:92:68:bd:2c:e2:e4:55:80:c0:
6e:68:82:92:b8:bb:30:2b:18:14:4b:c8:a9:d4:11:
50:eb:70:f7:b6:b4:72:3c:66:e8:c1:eb:7c:49:fb:
92:b2:88:4b:0c:6b:57:61:fd:30:37:ac:f0:22:ae:
fa:07:0a:10:d2:57:87:71:55:67:46:ab:3e:94:46:
6e:2c:23:e1:69:2c:ce:25:45:70:cc:8d:b9:75:1b:
a6:ed:6f:d2:03:b8:a9:6c:ee:0a:fa:94:6b:1e:58:
ab:d4:42:9d:bf:0d:10:5f:79:51:36:fe:63:d4:34:
25:e2:0e:76:d9:f6:bc:3a:7c:c5:a1:ea:42:65:00:
ad:e3:5d:bf:4c:3d:b5:00:98:00:e2:ca:42:b0:11:
cf:e8:6d:be:68:92:8b:e6:6d:73:f2:13:ef:08:28:
1b:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
3F:EF:66:88:7E:8D:58:A4:CD:17:B3:67:F1:03:C7:9F:B2:7E:61:92
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Netscape Cert Type:
SSL Server
Signature Algorithm: ecdsa-with-SHA256
30:35:02:19:00:c2:22:c8:e3:49:d7:94:2f:dd:77:40:cb:e7:
de:83:b3:d4:fc:2c:82:ec:12:c2:7b:02:18:0c:79:55:13:38:
d1:85:aa:3f:8c:ea:46:ee:df:fe:93:2e:5e:ad:b7:9b:7d:a4:
35

So if I understand, ECC is used on the CA but not for the registry certificate itself.

I’m a bit lost on what to do. I’m not an X509 expert so if in the group someone have an idea :wink:

Best regards,

Renaud


(Jeff Anderson) #2

What happens if you do:

curl -v https://myregistry.net:5000/

or

openssl s_client -connect myregistry.net:5000 -showcerts < /dev/null

Do you get a similar error message about the elliptic curve? What commands did you run when you generated this certificate?

/Jeff


(Renaud) #3

Hello jeff,

I finally change the root certificate use to generate the “myregistry.net” certificate. The only difference between both certificate is the algorithm signature.

In the first one (where I got this problem), the root certificate use ecdsa-with-sha256, with the new one (which works) it uses sha256WithRSAEncryption

It confirms a trouble with certificate generate using ECDSA.

About the commands you ask, I didn’t before your reply but I didn’t keep the output. In my memory curl works fine without any warnings or error.

Cheers,
Renaud