-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to connect to registry with client certificate signed by intermediate certificate #21148
Comments
@callebjorkell the |
@dmcgowan Thanks for taking a look at this. We have tried the variant you describe as well to no avail. I did try to include that in the description above, but I don't blame you for missing it as I'm not the most coherent person alive 😉 I tried to include the intermediate both before and after the actual client cert, but couldn't get it to work. If you know of any special syntax you need for that (or format), please let me know. |
@callebjorkell: I have been able to reproduce an error with an intermediate certificate but not able to root cause it (not sure whether server/nginx configuration, certificate, docker, or golang issue). To help isolate the cause, could you provide the relevant section of your HAProxy configuration. You can track my attempts here https://github.com/dmcgowan/distribution/commits/client-intermediate-test. |
I haven't been able to look into this, but we did create a go client for another part of our system recently using the same types of intermediate client cert. Being written in go, we ran into something that might be relevant for this. The tls package does seem to construct a ca bundle, reading all certs in the ca file. However, to get the client cert to use the intermediate, it had to be in the client certificate file, just like you suggested. Having it bundled with the CA didn't work. At first glance, the setup that you're testing does seem sane to me, I'll try to allocate some time to look at it more closely if needed. The thing that we tried to verify that the SSL termination was working was using either |
Same here, we use SSL certificate authentication at the BBC for lots of services instead of passwords. From what I understand, providing $ curl -I -E "$(id -F)" https://foobar.bbc.co.uk/artifactory/docker/
HTTP/1.1 200 OK |
It been a year, and I still think that registry client certificates are a good idea. Even if the Distribution project doesn't support them I know that many people are terminating TLS with reverse proxies that are capable of client certificate validation. |
@allingeek the registry does support client certificates. This issue is specifically for supporting client certificates signed by intermediate certificates without having to put the intermediate certificates into the CA bundle. This issue was not fully root caused so it is unclear whether there is anything that needs to be changed inside of docker or the registry. If you have a go setup successfully using intermediate certificates for client authentication, please share any insight that might help us figure out what needs to be updated. Otherwise it is is possible this is an issue in golang. |
We have a docker registry setup where SSL is terminated by haproxy for our private registry. We use a client certificate for authentication. We have been running this setup successfully for quite some time using client certs signed by our root certificate. Recently we started signing client certs with an intermediate certificate instead, and docker doesn't seem to support this setup. We have tried to bundle the intermediate and root certificates in the same
.crt
file, along with theclient.cert
, and as two separate.crt
files. None of the above allowed us to connect to the registry (see below for error output).To verify that the server side setup was OK, openssl and a browser was used with the same certs. Both were able to connect. OpenSSL command used:
This worked with the intermediate concatenated with the root cert in the same
.crt
file.Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
docker-machine -> haproxy -> docker registry
Steps to reproduce the issue:
/etc/docker/certs.d/my.registry.url/
Describe the results you received:
Describe the results you expected:
Being able to pull the docker image from the registry.
Additional information you deem important (e.g. issue happens only occasionally):
The text was updated successfully, but these errors were encountered: