Unable to push/pull to private docker registry over TLS

Docker Desktop
1

I have a private registry installed on a remote server which can be accessed over TLS.
I have a client certificates that can connect to the registry remotely successfully.
I verified the client certificate using curl command as follows

\curl.exe  --cacert .\ca.crt --key .\domain.key --cert .\domain.cert "https://10.25.235.235:32010/v2/_catalog"

Curl returned 200 OK with {"repositories":[]} so I am sure the certificates are correct.

Steps:
install certificates at ~/.docker/certs.d/10.25.235.23532010 :

  1. followed documentation at https://docs.docker.com/docker-for-windows/faqs/#how-do-i-add-client-certificates and copied my certificates to
    C:\Users\Administrator\.docker\certs.d\10.25.235.23532010 as ca.crt, client.cert, and client.key
    Please note I removed the colon “:” as I windows does not accept it. I got hint to remove colon from github forums and moby code on github.
  2. restart docker
  3. push image docker push 10.25.235.235:32010/nginx:latest
    I got error tls: certificate signed by unknown authority

Install ca.crt:

  1. I clicked on ca.crt and installed certificate to “trusted authorities” in my windows
  2. restart docker
  3. push image docker push 10.25.235.235:32010/nginx:latest
    I got error tls: bad certificate

copy certificates to “C:\ProgramData\docker\certs.d\10.25.235.23532010”:
Followed the same steps to restart docker and push image, I am getting the same tls errors.

Please advise what should be done to push images to private registry from a windows docker desktop.

Docker version

Client: Docker Engine - Community
 Version:           18.09.2
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        6247962
 Built:             Sun Feb 10 04:12:31 2019
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 04:13:06 2019
  OS/Arch:          linux/amd64
  Experimental:     false
2

I recently spent 3 days with the same issue.

What solved it for me was to not use the certs.d catalog but instead I passed the certificates to my registry using environment variables. (I believe I even had to remove the certs.d folder itself…)

So this is an example of how I start my registry:

docker run -d --restart=always --name registry -v <local certs path>:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2

make sure that the certificates you’ve got have been issued to your domain name and not “domain”. Install the root cert on the “client” machines.

P.s. I was never able to push and pull to the registry from the server it ran on, but I got it working from other machines which had installed the CA root cert.

Good luck!

/Wit

3

Thanks for your suggestion.
I was able to run the registry on my cluster (kuberentes) using the TLS certificates which requires 2 way SSL from the docker client in order to get images pull/push from the client.

My use case requires to pull/push images from windows based docker client to the remote registry using SSL certs. I am able to curl my remote repository using TLS certs so I know my certificates are correct.

Its just my docker daemon running on the windows OS is not picking up those client certs which are required to pull/push images to a secure registry. Btw, I tried the similar process for linux and macos and I was able to pull/push images.

Thanks
Shalin.

4

I’m also using the windows based docker client (docker desktop + WSL docker client) and I can confirm that I’ve got it working using that setup (I’m not using kubernetes however). All I needed to do was to install my root cert in windows and WSL picked it up. Of course I also had to forward the docker client to work with docker desktop:

in .bashrc

export DOCKER_HOST=tcp://localhost:2375

WSL kernel

$ uname -r
4.4.0-17763-Microsoft

Pushing to my registry

$ docker push my.registry.domain/ide:1
The push refers to repository [my.registry.domain/ide]
ef7b97c7ce9e: Pushed
6d60848c86cd: Pushed
fbfce63fbe32: Pushed
a4eaa1c19a1c: Pushed
f835db2a1339: Pushed
1c7994c6cb7b: Pushed
d6dc66da6e2d: Pushed
1a50a67e95f4: Pushed
66283618bfd6: Pushed
1e9b8854e536: Pushed
bb157d85e5a5: Pushed
0f6b5c740e1e: Pushed
39837f16dc5d: Pushed
c65b932a768e: Pushed
b921de34e80a: Pushed
7660ded5319c: Mounted from ubuntu
94e5c4ea5da6: Mounted from ubuntu
5d74a98c48bc: Mounted from ubuntu
604cbde1a4c8: Mounted from ubuntu
1: digest: sha256:f22af1c7a938ae47f784b4f3affaf43318cb2c18b50a6bf7f1eb5964051a65f7 size: 4285

/Wit

5

Hi,

I’ve installed Docker Desktop on my machine but I can’t this working properly. It is not sending the required client certs.

As followed the installation instructions on https://nickjanetakis.com/blog/setting-up-docker-for-windows-and-wsl-to-work-flawlessly. I set DOCKER_HOST=tcp://localhost:2375 in .bashrc as described in the instructions. These are the env info.

  • WSL kernel: is 4.4.0-19041-Microsoft.

  • Docker version: 19.03.5, build 633a0ea838

  • docker-compose version: 1.25.0, build b42d419

  • Windows subsystem: Ubuntu 18.04

And the docker info output looks as follows:

$docker info
Client:
Debug Mode: false

Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.9.184-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.855GiB
Name: docker-desktop
ID: LBEI:GH4N:I5GO:CBAA:FQJ7:34RT:XFEC:MPXW:CXLN:3MGM:GJBL:I4JI
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 28
Goroutines: 42
System Time: 2019-12-18T09:09:01.2426757Z
EventsListeners: 1
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

I have also installed the client certificate in the windows trust store. Git is actually running correctly with this client certificate. It seems as if docker ist not picking the certificate to use it during connection.

When I try to pull an image from the registry I get this error:

Pulling xyz-controller (extern.abc.com/org-docker/car-services/car-configuration:current)...
ERROR: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>400 No required SSL certificate was sent</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>No required SSL certificate was sent</center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"

Does anybody have a hint for me? I already expend 2 days trying to get docker pulling from the registry without success.

6

Could you solve your problem? I have been searching for the solution for a few days, but i have no idea how to solve this issue.