-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: TLS certificate #11
Comments
Can you provide the config from your registry and the docker_auth? Both need the .pem file but only the docker_auth needs the .key.
|
@darkdirk auth:
token:
realm: "https://127.0.0.1:5001/auth"
service: "Docker registry"
issuer: "Acme auth server"
rootcertbundle: "/path/to/server.pem" And I didn't change and directly use original examples/simple.yml . It is OK? |
Sorry if I ask, but do you have the correct path in the distribution config? Mine looks like this
My docker_auth config:
Both server.pem are the same. Perhaps you can also find some more information here: https://docs.docker.com/registry/configuration/ |
So may I generate the certs via command? openssl genrsa -out server.key 2048
openssl req -new -x509 -days 36500 -key server.key -out server.crt -subj "/C=CN/ST=Jiangsu/L=Yangzhou/O=Your Company Name/OU=localhost"
cat server.crt server.key > server.pem Then, copy them to the correct folders. |
By the way, is http config necessary? http:
addr: localhost:5000
net: tcp
prefix: /my/nested/registry/
secret: asecretforlocaldevelopment
tls:
certificate: /path/to/x509/public
key: /path/to/x509/private
clientcas:
- /path/to/ca.pem
- /path/to/another/ca.pem
debug:
addr: localhost:5001 |
No. The cat step is wrong. (At least I don't have that step). HTTP config is not necessary for testing on localhost. In production you should have TLS (I think otherwise the docker daemon won't connect). Perhaps you have a problem when the debug is listening on 5001 and you search for the index on the same port? Send me a mail, then I'll send you a working example cert. |
@darkdirk Thanks so much. OK. |
right, no need to glue cert and key together. here's how you can generate a self-signed cert: |
@rojer ,
I read #3 . But still have some confusion.
How do you generate TLS certificate?
If it is via
openssl genrsa
andopenssl req
? I don't think so.Because the certificate's content is not accepted by docker distribution.
Could you please provide some example certificate?
Thanks a lot!
The text was updated successfully, but these errors were encountered: