Docker Community Forums

Share and learn in the Docker community.

Trusted Registry Certificates and pushing


(Maspen) #1

I have the trial Docker Datacenter & am working though installing everything on Ubuntu 14.

I have been helplessly stuck on the Trusted Registry, Security Configuration part.

I went through the instructions and when i try to push an image to my registry, i get “unauthorized: authentication required”

here are the steps & output:

maspen@maspen-VirtualBox:~$ export DOMAIN_NAME=mattzregistry.com
maspen@maspen-VirtualBox:~$ openssl s_client -connect $DOMAIN_NAME:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/$DOMAIN_NAME.crt
[sudo] password for maspen:
-----BEGIN CERTIFICATE-----
MIIFszCCA5ugAwIBAgIQYVw2yX3du0ABwl+3vu7iszANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGRG9ja2VyMQ8wDQYDVQQLEwZEb2NrZXIx

m9+xRehv3diu+SmC6QtaKGEn1CWVQayeZqnn+Auwv9jaY6rIDxlFYh3N5fK7Ql9h
mA0dwBVtlEzjxIgvtH/0QpxN/tzPDDg=
-----END CERTIFICATE-----
maspen@maspen-VirtualBox:~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs… 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…done.
maspen@maspen-VirtualBox:~$ sudo service docker restart
docker stop/waiting


BUT, when I try this:

maspen@maspen-VirtualBox:~$ openssl s_client -connect mattzregistry.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=0 C = US, O = Docker, OU = Docker, L = San Francisco, CN = mattzregistry.com
verify return:1

Certificate chain
0 s:/C=US/O=Docker/OU=Docker/L=San Francisco/CN=mattzregistry.com
i:/C=US/O=Docker/OU=Docker/L=San Francisco/CN=mattzregistry.com

Server certificate
-----BEGIN CERTIFICATE-----
MIIFszCCA5ugAwIBAgIQYVw2yX3du0ABwl+3vu7iszANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGRG9ja2VyMQ8wDQYDVQQLEwZEb2NrZXIx

m9+xRehv3diu+SmC6QtaKGEn1CWVQayeZqnn+Auwv9jaY6rIDxlFYh3N5fK7Ql9h
mA0dwBVtlEzjxIgvtH/0QpxN/tzPDDg=
-----END CERTIFICATE-----
subject=/C=US/O=Docker/OU=Docker/L=San Francisco/CN=mattzregistry.com
issuer=/C=US/O=Docker/OU=Docker/L=San Francisco/CN=mattzregistry.com

No client certificate CA names sent

SSL handshake has read 2394 bytes and written 421 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: DCBE2918783069947EC44C0EC14FE4B0BA6D43E1487188F5A982D867A85D8187
Session-ID-ctx:
Master-Key: DE1A0F67B01D3A9FF40E45D2E4D5F7842E19DB6B5E7F0844553540CAF862C2F10C32C662C82772D8FDE6AD4C4CA40525
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - ed 55 9c ba cd 29 db 3d-3c fe 16 37 15 8e 54 da .U…).=<…7…T.
0010 - 45 2e 2f 3c 29 51 3c 91-67 ba 13 54 4e c4 1e be E./<)Q<.g…TN…
0020 - 09 d5 a9 99 61 c3 11 89-e5 9e 7e ed 9c 85 d1 f8 …a…~…
0030 - da 41 4f a7 1b 30 55 5f-ed a8 dd 44 68 e0 a5 a3 .AO…0U_…Dh…
0040 - da 96 e8 f8 17 ba e5 27-bf 0b 6c e8 fa b0 92 2e …’…l…
0050 - ac 65 a1 17 c4 c4 a6 1e-02 0c a3 6d 87 f9 a1 12 .e…m…
0060 - 66 c2 b8 e4 32 13 4a 4c-85 b1 11 05 43 d4 43 58 f…2.JL…C.CX
0070 - aa 7f 40 b9 db c8 6c 00-84 ff 96 32 e2 fb b0 0a …@…l…2…
0080 - 5a ab 5a aa 74 80 04 cb-78 4a db 4c 90 b3 b4 39 Z.Z.t…xJ.L…9
0090 - 8f b8 1f 8f a4 52 ca ff-de 1d cd 80 bd 3e 0c 59 …R…>.Y
00a0 - 22 90 5b 92 a2 11 68 ef-a7 8b f0 db 1f 2e 90 1c ".[…h…

Start Time: 1461944283
Timeout   : 300 (sec)
Verify return code: 0 (ok)


BUT …
maspen@maspen-VirtualBox:~$ docker push mattzregistry.com/ci-infrastructure/jnkns-img
The push refers to a repository [mattzregistry.com/ci-infrastructure/jnkns-img]
8aa7c9104f61: Preparing
0b4552f54435: Preparing
ccb4451fcbd5: Preparing
5f70bf18a086: Preparing
8d084ff9d0ca: Preparing
81a8460354d4: Waiting
0c10288dc545: Waiting
e90ec4cf7a5e: Waiting
4d7019d0841d: Waiting
dbd88d5cad83: Waiting
593e1d032a76: Waiting
0f28b586be3b: Waiting
c58360ce048c: Waiting
0030e912789f: Waiting
0ece0aa9121d: Waiting
ef63204109e7: Waiting
694ead1cbb4d: Waiting
591569fa6c34: Waiting
998608e2fcd4: Waiting
c12ecfd4861d: Waiting
unauthorized: authentication required
maspen@maspen-VirtualBox:~$

the tech support people have been useless; pointing me back to the documentation.

Can anyone tell me what i’m doing wrong?

Where do i get the SSL certificate(s) and SSL Key to cop/paste into the TR UI > security page?
on https://docs.docker.com/docker-trusted-registry/configure/config-security/ it says "You can use the self-signed certificate Docker Trusted Registry generates by default."
WHERE ARE THESE?