{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 萌系小妹纸 的问题《Docker registry login fails with “Certificate sign》','https://www.manongdao.com/q-485244.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm am running a private docker registry on ubuntu using S3 for storage. I'm having issues getting docker login/push/pull commands to work over SSL. I'm using Nginx in front of Gunicorn to run the registry. It works without any issues over HTTP, but after switching to HTTPS for a prod system, it throws the following error from the client docker login.
Invalid Registry endpoint: x509: certificate signed by unknown authority
I have purchased a rather cheap PositiveSSL certificate from Commodo to use for this. I have ensured the root CA and intermediate CA's are installed on the Ubuntu system running the registry. The following is my nginx configuration for the server
# Default nginx site to run the docker registry
upstream docker-registry {
server localhost:5000;
}
server {
listen 443;
server_name docker.ommited.net;
ssl on;
ssl_certificate /etc/ssl/docker-registry.crt;
ssl_certificate_key /etc/ssl/docker-registry.key;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
location / {
proxy_pass http://localhost:5000/;
}
}
I'm trying to figure out how to get docker to properly recognize the cert, or ignore the certificate warning. I'm running docker-registry version v0.7.3, the particular client I'm using is Docker version 1.1.2, build d84a070. on a side note, when visiting the registry in a browser, the cert is properly recognized. any help pointing me in the right direction would be greatly appreciated!
If you are on mac, simply add the registry to the
insecure-registriessetting in~/.docker/daemon.json:{ "debug" : true, "experimental" : true, "registry-mirrors" : [], "insecure-registries" : ["registry.your.domain.de"] }In case you do a mistake somewhere (I forgot a comma in the JSON) some issues afterwards with starting up the docker daemon might arise. Namely any docker command throwing an
Error response from daemon: Bad response from Docker engine. A few restarts and resets later that resolved itself.For cheap / lesser known certs like the COMODO or StartSSL ones, you need to add the entire certificate chain into the certificate file you are using with nginx. Many operating systems don't trust the intermediate CAs, just the root CA, so you need to fill in the missing steps between the certificate for your host and the root CA that is trusted by the OS.
In the e-mail you received your certificate with, you should also find links to the intermediate CAs and the root CA. Open the
docker-registry.crtfile, scroll to the bottom, and append the intermediate CAs and, finally, the root CA certificate for the PositiveSSL chain. Once you've done that, restart nginx. You should now be good to go.For RHEL hosts, you can add the CA cert to the PKI CA list on the client host:
From https://www.happyassassin.net/2014/09/06/adding-your-freeipa-servers-ca-certificate-to-the-system-wide-trust-store-on-fedora-and-rhel/