Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Support for intermediate certificates #683
TLS certificates from Gandi need two intermediate certificates for them to actually work, without them, you get an error like this:
from the result of
I don't have any experience with TLS in Go, but from my reading last night, it seems that I need to include the intermediate certificates Gandi have supplied me in this array.
I don't imagine I'm the first person to see this, nor will I be the last. The deployment guide states
I consider this a necessary feature to deploy Docker Distribution, and I would like to discuss how this feature should be implemented. If nobody else feels up to the task, I am more than happy to roll up my sleeves and do it myself. However, this is my first time dealing with Go and this codebase, so I want to make sure I'm doing it the right way first.
In terms of proposed solutions, we could take inspiration from nginx, which allows you to concatenate your certificate with its intermediates into one file, which nginx then loads into the SSL context for you. Alternatively, we can specify a path of certificates to load, similarly to how a $PATH variable works in a shell.
I'm eager to hear your thoughts on how this can be resolved - I would like to get this docker registry off the ground as soon as possible as it's blocking other projects!
Here is how I started my registry instance:
Previous to this I did:
The basic syntax for the .crt file should be something like:
Incidentally this is very similar to how nginx expects certificates come
Yup, turns out this feature all works as expected with nginx, I must have fudged up a cat command when I was first trying to get this deployed!
To confirm, concatenating the certificates together with a command like
I'll make a PR for some improved documentation about intermediate certs. Thanks @taxilian!