New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include configuration explanation for intermediate TLS certificates #686

Merged
merged 3 commits into from Jul 13, 2015

Conversation

Projects
None yet
4 participants
@rxbynerd
Copy link
Contributor

rxbynerd commented Jul 9, 2015

Intermediate certificates are issued by TLS providers who themselves are
an intermediate of a certificate in the trust store. Therefore, to prove
the chain of trust is valid, you need to include their certificate as
well as yours when you send your certificate to the client.

Contrary to what I said in issue #683, distribution can handle these
certificate bundles like nginx. As discussed in #docker-distribution,
I have updated the deployment documentation (which recommends the use of
a TLS certificate from a provider) to include instructions on how to
handle the intermediate certificate when a user is configuring
distribution.

Closes #683.

Include configuration explanation for intermediate TLS certificates
Intermediate certificates are issued by TLS providers who themselves are
an intermediate of a certificate in the trust store. Therefore, to prove
the chain of trust is valid, you need to include their certificate as
well as yours when you send your certificate to the client.

Contrary to what I said in issue #683, distribution can handle these
certificate bundles like nginx. As discussed in #docker-distribution,
I have updated the deployment documentation (which recommends the use of
a TLS certificate from a provider) to include instructions on how to
handle the intermediate certificate when a user is configuring
distribution.

Signed-off-by: Luke Carpenter <x@rubynerd.net>
@@ -89,6 +89,8 @@ docker run -d -p 5000:5000 \
registry:2
```

If the certificate issuer supplies you with an 'intermediate' certificate, such as Gandi, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt GandiStandardSSLCA2.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable.

This comment has been minimized.

@stevvooe

stevvooe Jul 9, 2015

Contributor

Remove mention of third party service. Intermediate certificates are a common thing. Perhaps, a link to https://en.wikipedia.org/wiki/Intermediate_certificate_authorities would help here.

This comment has been minimized.

@rxbynerd

rxbynerd Jul 9, 2015

Contributor

Will do

This comment has been minimized.

@rxbynerd

rxbynerd Jul 9, 2015

Contributor

Hmm, I'm not sure about linking to the wikipedia page, I doubt users are going to find themselves in a situation where they're not sure if they have an intermediate certificate.

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jul 9, 2015

@moxiegirl PTAL

Remove mention of a third-party service
Signed-off-by: Luke Carpenter <x@rubynerd.net>
@moxiegirl

This comment has been minimized.

Copy link

moxiegirl commented Jul 10, 2015

looking

@@ -89,6 +89,8 @@ docker run -d -p 5000:5000 \
registry:2
```

If the certificate issuer supplies you with an 'intermediate' certificate, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt intermediate-certificates.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable.

This comment has been minimized.

@moxiegirl

moxiegirl Jul 10, 2015

@rxbynerd thank you for the contribution. There are a few Markdown issues and minor punctuation. Also, I think some sentence structures can be improved;

--> https://gist.github.com/moxiegirl/d50d441aabc8b32d4e5e

A certificate issuer may supply you with an intermediate certificate. In this case, you must combine your certificate with the intermediate's to form a certificate bundle. You can do this using the cat command:

$ cat server.crt intermediate-certificates.pem > server.with-intermediate.crt

You then configure the registry to use your certificate bundle by providing the REGISTRY_HTTP_TLS_CERTIFICATE environment variable.

This comment has been minimized.

@rxbynerd

rxbynerd Jul 10, 2015

Contributor

sounds great - updated w/ content from your gist

update copy with content from @moxiegirl
Signed-off-by: Luke Carpenter <x@rubynerd.net>
@moxiegirl

This comment has been minimized.

Copy link

moxiegirl commented Jul 10, 2015

LGTM

1 similar comment
@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jul 13, 2015

LGTM

stevvooe added a commit that referenced this pull request Jul 13, 2015

Merge pull request #686 from rxbynerd/include-intermediate-tls-config…
…-in-docs

Include configuration explanation for intermediate TLS certificates

@stevvooe stevvooe merged commit 171ed44 into docker:master Jul 13, 2015

2 checks passed

ci/circleci Your tests passed on CircleCI!
Details
docker/dco-signed All commits signed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment