New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error response from daemon: Missing certificate domain.cert for key domain.key #1371

Closed
aterreno opened this Issue Jan 19, 2016 · 9 comments

Comments

Projects
None yet
4 participants
@aterreno
Copy link

aterreno commented Jan 19, 2016

Hi all,
I've been hacking my registry for almost 2 days now and no luck finding a solution to this so far.

I've setup a registry at this address:
curl -vvvv -i -L https://registry.equalexperts.io:5000/v2/

The docker compose is pretty straight forward:

cache:
  image: redis
registry:
  restart: always
  image: registry:2
  ports:
    - 5000:5000
  links:
    - cache
  volumes:
    - /home/ubuntu/data:/var/lib/registry
    - /home/ubuntu/certs:/certs
    - /home/ubuntu/auth:/auth
    - /home/ubuntu/config.yml:/etc/docker/registry/config.yml
frontend:
  image: konradkleine/docker-registry-frontend
  ports:
    - 8081:80
  environment:
    ENV_DOCKER_REGISTRY_HOST: registry
    ENV_DOCKER_REGISTRY_PORT: 5000

with the config.yml being:

version: 0.1
log:
  level: debug
  fields:
    service: registry
    environment: staging
storage:
  s3:
    accesskey: <ACCESS_KEY>
    secretkey: <SECRET_KEY>
    region: eu-west-1
    bucket: ee-docker-registry-data
    encrypt: false
    secure: true
    v4auth: true
    chunksize: 5242880
    rootdirectory: /registry
auth:
  htpasswd:
    realm: basic-realm
    path: /auth/htpasswd
http:
    addr: 0.0.0.0:5000
    host: https://registry.equalexperts.io:5000
    tls:
      certificate: /certs/registry.equalexperts.io.chained.crt
      key: /certs/registry.equalexperts.io.key
    debug:
        addr: localhost:5001
redis:
    addr: localhost:6379
    db: 0

I do successfully curl and login to my registry from a docker-machine running on max os

docker -v Docker version 1.9.1, build a34a1d5
docker-machine -v Version: 0.5.5, build 02c4254

However attempting to push an image causes this error:

Error response from daemon: Missing certificate registry.equalexperts.io.cert for key registry.equalexperts.io.key

The whole list of commands is:

docker run hello-world
docker tag hello-world registry.equalexperts.io:5000/hello-world
docker push registry.equalexperts.io:5000/hello-world
docker tag hello-world registry.equalexperts.io:5000/hello-world
docker push registry.equalexperts.io:5000/hello-world

The certificates are created with sslmate, and as you can see in the config.yml I am passing the chained one to the docker registry.

I really can't see what is wrong with my configuration.

Thanks in advance,

toni

Quick addition (that might help if anybody else is searching for workarounds), amending sudo vi /var/lib/boot2docker/profile the docker-machine file by adding:

--insecure-registry registry.equalexperts.io:5000 inside the default: EXTRA_ARGS='--label provider=virtualbox' did the trick (you will have to restart the docker daemon sudo /etc/init.d/docker restart

Makes the push work, of course, the whole point of getting a certificate was to have a secure registry, so this will unblock me for now but doesn't seem a reasonable solution.

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jan 20, 2016

You need to copy the cert to /etc/docker/certs/registry.equalexperts.io:5000/cert on the docker engine host and restart it.

This was covered here but was unintentionally removed.

@aterreno

This comment has been minimized.

Copy link

aterreno commented Jan 20, 2016

thanks @stevvooe for the prompt reply, I'll try that

@dmcgowan

This comment has been minimized.

Copy link
Member

dmcgowan commented Jan 20, 2016

Make sure on the daemon that TLS client certificates have the ending ".cert", and CA certificates have the ending ".crt", if you have ".key" without a ".cert" you will get that error, it will not attempt to use a ".crt" file.

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jan 20, 2016

@aterreno I've filed moby/moby#19473 to get back the new documentation. The PR #19511 has been submitted to fix that. It would be good to get your feedback as this can be a sticking point for registry deployment.

@aterreno

This comment has been minimized.

Copy link

aterreno commented Jan 21, 2016

I suppose it's clear.

tree /etc/docker/
/etc/docker/
|-- certs.d
|   `-- registry.equalexperts.io:5000
|       |-- ca.crt
|       |-- client.cert
|       `-- client.key
`-- key.json

Is how the folder structure should look like, ca&client are generated on the docker box, ca.crt needs to contain the CA root (I've used the full certificate chain)

Pull works well

thanks a lot

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jan 21, 2016

@aterreno No problem. I'll close this when we work out the documentation issues. Thank you for your patience.

@aterreno

This comment has been minimized.

Copy link

aterreno commented Jan 22, 2016

I'll probably blog about how to set the registry up, in combination with
how to get login inside a kubernetes cluster, the two together now work
like a charm but I had to do a bit of reverse engineering on both projects
docs to get it right :)

Thanks a lot for your help guys, really appreciated

On Thu, Jan 21, 2016 at 7:57 PM, Stephen Day notifications@github.com
wrote:

@aterreno https://github.com/aterreno No problem. I'll close this when
we work out the documentation issues. Thank you for your patience.


Reply to this email directly or view it on GitHub
#1371 (comment)
.

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jan 22, 2016

I'll probably blog about how to set the registry up

I hope you're nice. ;)

Let's us know if you need anything else.

@dmp42

This comment has been minimized.

Copy link
Member

dmp42 commented Jan 25, 2016

Closing now. Let me know if this needs reopening.

@dmp42 dmp42 closed this Jan 25, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment