[英]Docker registry login fails with “Certificate signed by unknown authority”
I'm am running a private docker registry on ubuntu using S3 for storage. 我正在使用S3存储在ubuntu上运行私有docker注册表。 I'm having issues getting docker login/push/pull commands to work over SSL. 我遇到问题,让docker login / push / pull命令通过SSL工作。 I'm using Nginx in front of Gunicorn to run the registry. 我在Gunicorn面前使用Nginx来运行注册表。 It works without any issues over HTTP, but after switching to HTTPS for a prod system, it throws the following error from the client docker login. 它在HTTP上没有任何问题,但在为prod系统切换到HTTPS后,它会从客户端docker登录中抛出以下错误。
Invalid Registry endpoint: x509: certificate signed by unknown authority
I have purchased a rather cheap PositiveSSL certificate from Commodo to use for this. 我从Commodo购买了一个相当便宜的PositiveSSL证书用于此。 I have ensured the root CA and intermediate CA's are installed on the Ubuntu system running the registry. 我确保在运行注册表的Ubuntu系统上安装了根CA和中间CA. The following is my nginx configuration for the server 以下是我的服务器的nginx配置
# Default nginx site to run the docker registry upstream docker-registry { server localhost:5000; } server { listen 443; server_name docker.ommited.net; ssl on; ssl_certificate /etc/ssl/docker-registry.crt; ssl_certificate_key /etc/ssl/docker-registry.key; proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads location / { proxy_pass http://localhost:5000/; } }
I'm trying to figure out how to get docker to properly recognize the cert, or ignore the certificate warning. 我试图弄清楚如何让docker正确识别证书,或忽略证书警告。 I'm running docker-registry version v0.7.3, the particular client I'm using is Docker version 1.1.2, build d84a070. 我正在运行docker-registry版本v0.7.3,我正在使用的特定客户端是Docker版本1.1.2,构建d84a070。 on a side note, when visiting the registry in a browser, the cert is properly recognized. 另外,在浏览器中访问注册表时,可以正确识别证书。 any help pointing me in the right direction would be greatly appreciated! 任何帮助我指向正确方向的人都将不胜感激!
For cheap / lesser known certs like the COMODO or StartSSL ones, you need to add the entire certificate chain into the certificate file you are using with nginx. 对于COMODO或StartSSL等廉价/鲜为人知的证书,您需要将整个证书链添加到与nginx一起使用的证书文件中。 Many operating systems don't trust the intermediate CAs, just the root CA, so you need to fill in the missing steps between the certificate for your host and the root CA that is trusted by the OS. 许多操作系统不信任中间CA,只信任根CA,因此您需要填写主机证书和操作系统信任的根CA之间的缺失步骤。
In the e-mail you received your certificate with, you should also find links to the intermediate CAs and the root CA. 在您收到证书的电子邮件中,您还应找到中间CA和根CA的链接。 Open the docker-registry.crt
file, scroll to the bottom, and append the intermediate CAs and, finally, the root CA certificate for the PositiveSSL chain. 打开docker-registry.crt
文件,滚动到底部,然后附加中间CA,最后附加PositiveSSL链的根CA证书。 Once you've done that, restart nginx. 完成后,重新启动nginx。 You should now be good to go. 你现在应该好好去。
For RHEL hosts, you can add the CA cert to the PKI CA list on the client host: 对于RHEL主机,您可以将CA证书添加到客户端主机上的PKI CA列表中:
cp docker-registry.crt /etc/pki/ca-trust/source/anchors/docker-registry.crt
update-ca-trust
systemctl restart docker
From https://www.happyassassin.net/2014/09/06/adding-your-freeipa-servers-ca-certificate-to-the-system-wide-trust-store-on-fedora-and-rhel/ 来自https://www.happyassassin.net/2014/09/06/adding-your-freeipa-servers-ca-certificate-to-the-system-wide-trust-store-on-fedora-and-rhel/
If you are on mac, simply add the registry to the insecure-registries
setting in ~/.docker/daemon.json
: 如果你在mac上,只需将注册表添加到~/.docker/daemon.json
的insecure-registries
设置:
{
"debug" : true,
"experimental" : true,
"registry-mirrors" : [],
"insecure-registries" : ["registry.your.domain.de"]
}
In case you do a mistake somewhere (I forgot a comma in the JSON) some issues afterwards with starting up the docker daemon might arise. 如果你在某处犯了错误(我在JSON中忘了一个逗号),可能会出现启动docker守护进程后的一些问题。 Namely any docker command throwing an Error response from daemon: Bad response from Docker engine
. 即任何docker命令Error response from daemon: Bad response from Docker engine
抛出Error response from daemon: Bad response from Docker engine
的Error response from daemon: Bad response from Docker engine
。 A few restarts and resets later that resolved itself. 稍后重启并重置以解决自身问题。
如果您使用的是letsencrypt和nginx,只需将ssl_certificate
密钥从cert.pem
更改为ssl_certificate
fullchain.pem
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.