Question: TLS certificate

[xiekeyang]

@rojer ,
I read #3 . But still have some confusion.
How do you generate TLS certificate?
If it is via openssl genrsa and openssl req? I don't think so.
Because the certificate's content is not accepted by docker distribution.
Could you please provide some example certificate?
Thanks a lot!

[DirkHeinke]

Can you provide the config from your registry and the docker_auth? Both need the .pem file but only the docker_auth needs the .key.

openssl req -newkey rsa:2048 -nodes -keyout registry_auth.key -x509 -days 365 -out registry_auth.crt
Rename crt to pem and it works without problems. You have to rebuild the registry to let it use your .pem file for the auth process.

[xiekeyang]

@darkdirk
I just use example config list in examples/reference.yml, as Distribution config.

auth:
    token:
          realm: "https://127.0.0.1:5001/auth"
          service: "Docker registry"
          issuer: "Acme auth server"
          rootcertbundle: "/path/to/server.pem"

And I didn't change and directly use original examples/simple.yml . It is OK?
My purpose is only test, and run auth server successfully.

[DirkHeinke]

Sorry if I ask, but do you have the correct path in the distribution config? Mine looks like this

version: 0.1
log:
  level: debug
  fields:
    service: registry
    environment: development
storage:
    cache:
        layerinfo: inmemory
    filesystem:
        rootdirectory: /data/registry/
    maintenance:
        uploadpurging:
            enabled: false
auth:
  token:
    realm: "https://localhost:5001/auth"
    service: "Docker registry"
    issuer: "Super auth server"
    rootcertbundle: "/go/src/github.com/docker/distribution/certs/server.pem"
http:
    addr: :5000
    secret: xxxxxxxxxx

My docker_auth config:

server:
  addr: ':5001'
  certificate: /ssl/server.pem
  key: /ssl/server.key
token:
  issuer: Super auth server
  expiration: 900
users:
  [....]
acl:
  [....]

Both server.pem are the same. Perhaps you can also find some more information here: https://docs.docker.com/registry/configuration/

[xiekeyang]

So may I generate the certs via command?

openssl genrsa -out server.key 2048
openssl req -new -x509 -days 36500 -key server.key -out server.crt -subj "/C=CN/ST=Jiangsu/L=Yangzhou/O=Your Company Name/OU=localhost"
cat server.crt server.key > server.pem

Then, copy them to the correct folders.
Or maybe the OU should be https://localhost:5001/auth ?

[xiekeyang]

By the way, is http config necessary?

http:
    addr: localhost:5000
    net: tcp
    prefix: /my/nested/registry/
    secret: asecretforlocaldevelopment
    tls:
        certificate: /path/to/x509/public
        key: /path/to/x509/private
    clientcas:
      - /path/to/ca.pem
      - /path/to/another/ca.pem
    debug:
        addr: localhost:5001

[DirkHeinke]

No. The cat step is wrong. (At least I don't have that step). HTTP config is not necessary for testing on localhost. In production you should have TLS (I think otherwise the docker daemon won't connect).

Perhaps you have a problem when the debug is listening on 5001 and you search for the index on the same port?

Send me a mail, then I'll send you a working example cert.

[xiekeyang]

@darkdirk Thanks so much. OK.

[rojer]

right, no need to glue cert and key together. here's how you can generate a self-signed cert:
openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.pem