New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error when using docker registry with self-signed certificates #141

Closed
beniamin opened this Issue Feb 1, 2018 · 6 comments

Comments

Projects
None yet
4 participants
@beniamin

beniamin commented Feb 1, 2018

I am trying to use forge with private docker registry deployed with self-signed certificates, but I encounter following error:

║ == Checking Kubernetes Setup ==

║ kubectl version --short
║ Client Version: v1.9.2
║ Server Version: v1.9.2
║ 1 tasks run, 0 errors
║ kubectl get service kubernetes --namespace default
║ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
║ kubernetes ClusterIP 10.96.0.1 443/TCP 2d
║ 1 tasks run, 0 errors

║ == Setting up Docker ==

║ Registry type (one of ecr, gcr, generic)[generic]:
║ Docker registry url[registry.hub.docker.com]: gen-centos755201-all-dev.idoc-alpha.c.emag.network
║ Docker user: testuser
║ Docker password:
║ Docker namespace/organization (use "-" to leave unspecified): -

║ registry: {type: docker, url: gen-centos755201-all-dev.idoc-alpha.c.emag.network,
║ user: testuser, password: 'dGVzdHBhc3N3b3Jk

║ ', namespace: null}

║ docker login -u testuser -p gen-centos755201-all-dev.idoc-alpha.c.emag.network
║ WARNING! Using --password via the CLI is insecure. Use --password-stdin.
║ Login Succeeded
║ docker pull registry.hub.docker.com/datawire/forge-setup-test:1
║ 1: Pulling from datawire/forge-setup-test
║ Digest: sha256:c0537ff6a5218ef531ece93d4984efc99bbf3f7497c0a7726c88e2bb7584dc96
║ Status: Image is up to date for registry.hub.docker.com/datawire/forge-setup-test:1
║ docker tag registry.hub.docker.com/datawire/forge-setup-test:1 gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test:dummy
║ docker push gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test:dummy
║ The push refers to repository [gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test]
║ e154057080f4: Preparing
║ e154057080f4: Layer already exists
║ dummy: digest: sha256:11a6af2edd09100d7a35abacacefd269404cf44aff537668235321d4f4caa485 size: 528
║ GET https://gen-centos755201-all-dev.idoc-alpha.c.emag.network/v2/None/forge_test/manifests/dummy
║ 16 tasks run, 1 errors
║ setup: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

║ -- please try again --

║ Registry type (one of ecr, gcr, generic)[generic]:

My environment:

  • OSX High Sierra
  • Docker Version 17.12.0-ce-mac49 (21995)
  • forge 0.3.24

Pushing and pulling images from same registry is working with docker push and pull commands.

@rhs

This comment has been minimized.

Contributor

rhs commented Feb 2, 2018

Thanks for taking the time to report this. Is there any chance you can supply the output of python --version and python -c "import ssl; print ssl.OPENSSL_VERSION"?

@beniamin

This comment has been minimized.

beniamin commented Feb 3, 2018

Sure.

~ ᐅ python --version
Python 2.7.10
~ ᐅ python -c "import ssl; print ssl.OPENSSL_VERSION"
LibreSSL 2.2.7

@triplonetienne

This comment has been minimized.

triplonetienne commented Mar 8, 2018

I am having the same problem with a self-signed OpenShift registry.

Directly pushing and pulling with Docker works, and also forge succeeds to push to the registry, but fails with setup: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) after GET xxx/v2/xxx/forge_test/manifests/dummy

  • OSX High Sierra
  • Docker 17.12.0-ce-mac55 (23011)
  • forge 0.4.4
  • Python 2.7.10
  • LibreSSL 2.2.7
@triplonetienne

This comment has been minimized.

triplonetienne commented Mar 8, 2018

Update: After adding a Let's Encrypt certificate, the setup successfully finished. Probably the problem is indeed with using self-signed certificates for the Docker registry

@Eronarn

This comment has been minimized.

Eronarn commented Mar 21, 2018

Also ran into this with a self signed cert.

@rhs

This comment has been minimized.

Contributor

rhs commented Mar 27, 2018

I just released forge 0.4.7 with a fix for this issue. You can read the (quick and dirty) docs here: https://forge.sh/docs/reference/self-signed-registries

@rhs rhs closed this Mar 27, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment