-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker registry v2 TLS with Letsencrypt gave x509: certificate signed by unknown authority #31602
Comments
If you are using the let's encrypt feature built into the registry the environment variable is |
If someone else stumbles across this, I suspect the issue maybe related to the certificate being used: REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert1.pem I think you probably want to use fullchain.pem instead of cert.pem because neither docker (go lib) nor (ubuntu in my case) have LE root cert built in at this time See also #8849 (comment) I have gitlab setup with LE certificate. Browser works fine, but docker fails to push to registry. Changing to fullchain.pem as the certificate (.crt) resolved the issue |
I feel above comment is misleading ... cert.pem from letsencrypt should work fine as its the public key and works fine for me using a local docker registry ... avoid throwing around fullchain.pem as that contains your private key which may work as a replacement for cert.pem however doing so may let the cat out of the bag ;-( UPDATE ... I stand corrected
https://serverfault.com/questions/793474/how-to-get-lets-encrypt-public-private-key |
I don't think it should, it should contain your cert + any intermediate certs between that and the CA and (perhaps or always?) the actual CA cert too i.e. a bunch of certs only. It wouldn't normally include any keys, they would normally be in a separate If something is embedding keys in a file named |
Fullchain is the right solution to this problem. The reason is slightly different. Let's Encrypt root CA is in most cert stores on most OSes by now, but the intermediate CA may not be, because LE updates intermediates sometimes. Your cert is signed with the intermediate, and if you don't provide the full chain - from the cert to the root, SSL lib does not know which root to verify with and fails.
Full chain does not contain the private key. In fact you can't even add if you wanted, because it will no longer be a valid x509. |
Hi Bro.. This issue same as with my problem. oc import-image nexus-coba:3.5 --from=192.168.250.250:8083/node-nexus --confirm --insecure |
1 similar comment
Hi Bro.. This issue same as with my problem. oc import-image nexus-coba:3.5 --from=192.168.250.250:8083/node-nexus --confirm --insecure |
Description
I've tried to start a docker registry as container running on a private machine with dynamic dns, I've configured certbot on the host machine in order to obtain certificates from letsencrypt and started the registry using this command
docker run -d -p 443:5000 --restart=always --name registry -v /etc/letsencrypt/archive/<my-domain>:/certs -v /opt/registry-auth/:/opt/registry-auth -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert1.pem -e REGISTRY_HTTP_TLS_KEY=/certs/privkey1.pem -e HTTP_TLS_LETSENCRYPT_CACHEFILE=/root/letsencrypt -e HTTP_TLS_LETSENCRYPT_EMAIL=<my-reg-mail> -e REGISTRY_HTTP_SECRET=nicesecret -e REGISTRY_AUTH_HTPASSWD_REALM=basic-realm -e REGISTRY_AUTH_HTPASSWD_PATH=/opt/registry-auth/dockerauth registry:2
Notes
when I try to interact with registry (login, push) the response is always x509: certificate signed by unknown authority
Steps to reproduce the issue:
Describe the results you received:
Docker login
docker login -u <user> -p <password> <my-domain>
Result
Error response from daemon: Get https://<my-domain>/v1/users/: x509: certificate signed by unknown authority
Docker push
docker tag java <my-domain>/java docker push <my-domain>/java
Result
Get https://<my-domain>/v1/_ping: dial tcp 137.204.57.31:443:x509: certificate signed by unknown authority
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Physical host on Ubuntu 16.10 Desktop environment
The text was updated successfully, but these errors were encountered: