Docker Registry 错误地声明了过期的 CA 证书

Question

I followed the Docker Registry installation docs precisely, and have a registry running on a remote Ubuntu VM. On that VM, the Docker container is running with the following command:

docker run -d -p 5000:5000 --restart=always --name registry \
    -v `pwd`/auth:/auth \
    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
    -v `pwd`/certs:/certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
    registry:2

On the remote VM, I have the following directory structure:

/home/myuser/
    certs/
        registry.crt
        registry.key
/etc/docker/certs.d/myregistry.example.com:5000/
    ca.crt
    ca.key

The ca.crt is the same exact cert as ~/certs/registry.crt (just renamed); same goes for ca.key and registry.key being the same/just renamed. I created the ca* files per a suggestion from the error output you'll see below.

I am almost 100% sure the CA cert is still valid, although any help ruling that out (eg how can I actually tell?) would be appreciated. When I start the container and look at the Docker logs, I don't see any errors.

I then attempt to login from my local laptop (Mac):

docker login myregistry.example.com:5000

It queries me for my username, password and email (although I don't recall ever specifying an email when setting up Basic Auth). After entering these correctly (I have checked and double checked...) I get the following error:

myuser@mymachine:~/tmp$docker login myregistry.example.com:5000
Username: my_ciuser
Password: 
Email: myuser@example.com
Error response from daemon: invalid registry endpoint https://myregistry.example.com:5000/v0/:
unable to ping registry endpoint https://myregistry.example.com:5000/v0/ v2 ping attempt failed with error:
Get https://myregistry.example.com:5000/v2/: x509: certificate has expired or is not yet valid
v1 ping attempt failed with error: Get https://myregistry.example.com:5000/v1/_ping: x509:
certificate has expired or is not yet valid. If this private registry supports only HTTP or
HTTPS with an unknown CA certificate, please add 
`--insecure-registry myregistry.example.com:5000` to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt

So from my perspective, I guess the following are possible:

• The CA cert is invalid ( if so, why?!? )
• The CA cert is an intermediary cert ( if so, how can I tell? )
• The CA cert is expired ( if so, how do I tell? )
• This is a bad error message, and some other facet of the registry is not configured properly ( if so, how do I troubleshoot further? )
• Perhaps my cert is not located in the correct place on the server, or doesn't have the right permissions set ( if so, where does the cert need to be? )
• Something else that I would never expect in a million years

Any ideas/thoughts?

Answer 1

As said in the error message:

... In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt

where myregistry.example.com:5000 - your CN with port.

You should copy your ca.crt into each Docker Daemon that will connect to your Docker Registry and put it in this folder: /etc/docker/certs.d/myregistry.example.com:5000/ca.crt

After this action you need to restart Docker daemon, for example, via sudo service docker stop && service docker start on CentOS (or call similar procedure on your OS).

Answer 2

I had the similar error: Then I added my private registry to the insecureregistries list. See below image for docker-desktop