-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x509: certificate signed by unknown authority #1731
Comments
Are you able to curl |
I am able to do: I removed the certs in /etc/docker/certs.d, but it still does not work. I am surprised to find out that I still able to pull image from xxxxxxxx if I configure my client side docker deamon with DOCKER_OPTS="--insecure-registry 10.0.0.0/8" to /etc/default/docker. Docker registry xxxxxxxxx is running in secure mode. I should not able to pull image from it in unsecure mode, right? is this a defect? |
Insecure mode will still attempt to use TLS, it will just allow certificates from unknown authorities. Can you send your docker daemon logs and also the link to the docs you used for generating the certificate. |
The link to the docs I used for generating the certificate: Attaching the docker daemon log and the docker registry container log |
any updates? |
@susandiamond I tried your steps and the steps in the provided documentation and was not able to replicate your issue. Here is my log of testing it out. If you can attempt to do something similar in your environment maybe we can see if this is environment or version issue. Note a step I did not show was to update my
|
@susandiamond did you have any luck with your setup? |
@RichardScothern @dmcgowan: thanks for the details. I am able to make it work. My docker client is able to push and pull docker images to a secure docker registry now. I have another open issue that I am not able to make it work with use HAProxy as a frontend load balancer to pass through the traffic to Docker registries after enabling SSL in the docker registries. Could you shed some lights on how HAProxy should be configured to do so? |
@susandiamond we have many recipes for setting up the registry with different load balancer configurations but unfortunately none with HAProxy. https://docs.docker.com/registry/recipes/. If you are going to terminate SSL on the registry and not within HAProxy then you will need to setup your load balancer as a TCP proxy, otherwise setup HAProxy to do the termination. I am glad you go your certificates working. |
@dmcgowan I am able to get it SSL work with HAProxy and terminate SSL on the registries. But I still can pull image from the registries directly if I have DOCKER_OPTS="--insecure-registry 10.0.0.0/8" set to /etc/default/docker at the client docker daemon. Is there a way to disable the insecure port at the docker registry so we only support secure calls? |
@susandiamond Don't add the insecure registry flag to registries you don't want to contact over HTTP. To best protect your registry it should be on a network only reachable by haproxy, and if you don't want your engine to be able to reach it then it should not be in that protected network. If you cannot secure the network your registry is running on then I would suggest only accept SSL connections by the registry. |
@dmcgowan I didn't add insecure registry to my docker registries. I think it is enable by default in the docker image of the docker registry v2.4. Following is the configuration I used to start the docker registy: Is there a flag to explicitly disable the insecure connection? |
The flag I was mentioning is on the engine |
Thanks to our friend for providing us a solution @andrei1489 , you can make it work without using ➜ Repos/work mkdir -p /etc/docker/certs.d/docker-registry.foodomain.org
mkdir: cannot create directory ‘/etc/docker’: Permission denied
➜ Repos/work sudo !!
➜ Repos/work sudo mkdir -p /etc/docker/certs.d/docker-registry.foodomain.org
➜ Repos/work cp -v ~/Downloads/domain-cacert.pem /etc/docker/certs.d/docker-registry.foodomain.org/ca.crt
cp: failed to access '/etc/docker/certs.d/docker-registry.foodomain.org/ca.crt': Permission denied
➜ Repos/work sudo !!
➜ Repos/work sudo cp -v ~/Downloads/domain-cacert.pem /etc/docker/certs.d/docker-registry.foodomain.org/ca.crt
'/home/dminca/Downloads/domain-cacert.pem' -> '/etc/docker/certs.d/docker-registry.foodomain.org/ca.crt'
➜ Repos/work sudo service docker restart
➜ Repos/work docker login docker-registry.foodomain.org
Username: dminca@foodomain.com
Password:
Login Succeeded |
I am using docker registry 2.4 and docker engine 1.10.3 on Ubuntu 14.04. I created a self signed certificate following the instruction in docker community. But I kept getting the "x509: certificate signed by unknown authority" error.
It is a self signed certification, why do I get the error instead of a warning? Docker push and pull failed because of this.
The text was updated successfully, but these errors were encountered: