Error when using docker registry with self-signed certificates

[beniamin]

I am trying to use forge with private docker registry deployed with self-signed certificates, but I encounter following error:

║ == Checking Kubernetes Setup ==
║
║ kubectl version --short
║ Client Version: v1.9.2
║ Server Version: v1.9.2
║ 1 tasks run, 0 errors
║ kubectl get service kubernetes --namespace default
║ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
║ kubernetes ClusterIP 10.96.0.1 443/TCP 2d
║ 1 tasks run, 0 errors
║
║ == Setting up Docker ==
║
║ Registry type (one of ecr, gcr, generic)[generic]:
║ Docker registry url[registry.hub.docker.com]: gen-centos755201-all-dev.idoc-alpha.c.emag.network
║ Docker user: testuser
║ Docker password:
║ Docker namespace/organization (use "-" to leave unspecified): -
║
║ registry: {type: docker, url: gen-centos755201-all-dev.idoc-alpha.c.emag.network,
║ user: testuser, password: 'dGVzdHBhc3N3b3Jk
║
║ ', namespace: null}
║
║ docker login -u testuser -p gen-centos755201-all-dev.idoc-alpha.c.emag.network
║ WARNING! Using --password via the CLI is insecure. Use --password-stdin.
║ Login Succeeded
║ docker pull registry.hub.docker.com/datawire/forge-setup-test:1
║ 1: Pulling from datawire/forge-setup-test
║ Digest: sha256:c0537ff6a5218ef531ece93d4984efc99bbf3f7497c0a7726c88e2bb7584dc96
║ Status: Image is up to date for registry.hub.docker.com/datawire/forge-setup-test:1
║ docker tag registry.hub.docker.com/datawire/forge-setup-test:1 gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test:dummy
║ docker push gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test:dummy
║ The push refers to repository [gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test]
║ e154057080f4: Preparing
║ e154057080f4: Layer already exists
║ dummy: digest: sha256:11a6af2edd09100d7a35abacacefd269404cf44aff537668235321d4f4caa485 size: 528
║ GET https://gen-centos755201-all-dev.idoc-alpha.c.emag.network/v2/None/forge_test/manifests/dummy
║ 16 tasks run, 1 errors
║ setup: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
║
║ -- please try again --
║
║ Registry type (one of ecr, gcr, generic)[generic]:

My environment:

• OSX High Sierra
• Docker Version 17.12.0-ce-mac49 (21995)
• forge 0.3.24

Pushing and pulling images from same registry is working with docker push and pull commands.

[rhs]

Thanks for taking the time to report this. Is there any chance you can supply the output of python --version and python -c "import ssl; print ssl.OPENSSL_VERSION"?

[beniamin]

Sure.

~ ᐅ python --version
Python 2.7.10
~ ᐅ python -c "import ssl; print ssl.OPENSSL_VERSION"
LibreSSL 2.2.7

[ewildee]

I am having the same problem with a self-signed OpenShift registry.

Directly pushing and pulling with Docker works, and also forge succeeds to push to the registry, but fails with setup: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) after GET xxx/v2/xxx/forge_test/manifests/dummy

• OSX High Sierra
• Docker 17.12.0-ce-mac55 (23011)
• forge 0.4.4
• Python 2.7.10
• LibreSSL 2.2.7

[ewildee]

Update: After adding a Let's Encrypt certificate, the setup successfully finished. Probably the problem is indeed with using self-signed certificates for the Docker registry

[jmeickle]

Also ran into this with a self signed cert.

[rhs]

I just released forge 0.4.7 with a fix for this issue. You can read the (quick and dirty) docs here: https://forge.sh/docs/reference/self-signed-registries