[英]Docker Registry incorrectly claims an expired CA cert
I followed the Docker Registry installation docs precisely, and have a registry running on a remote Ubuntu VM.我严格按照 Docker Registry 安装文档进行操作,并在远程 Ubuntu VM 上运行了一个注册表。 On that VM, the Docker container is running with the following command:
在该 VM 上,Docker 容器使用以下命令运行:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
registry:2
On the remote VM, I have the following directory structure:在远程 VM 上,我有以下目录结构:
/home/myuser/
certs/
registry.crt
registry.key
/etc/docker/certs.d/myregistry.example.com:5000/
ca.crt
ca.key
The ca.crt
is the same exact cert as ~/certs/registry.crt
(just renamed); ca.crt
与~/certs/registry.crt
完全相同(刚刚重命名); same goes for ca.key
and registry.key
being the same/just renamed. ca.key
和registry.key
相同/刚刚重命名也是如此。 I created the ca*
files per a suggestion from the error output you'll see below.我根据您将在下面看到的错误输出中的建议创建了
ca*
文件。
I am almost 100% sure the CA cert is still valid, although any help ruling that out (eg how can I actually tell?) would be appreciated.我几乎100% 确定 CA 证书仍然有效,尽管任何排除这一点的帮助(例如,我如何才能真正知道?)将不胜感激。 When I start the container and look at the Docker logs, I don't see any errors.
当我启动容器并查看 Docker 日志时,我没有看到任何错误。
I then attempt to login from my local laptop (Mac):然后我尝试从我的本地笔记本电脑(Mac)登录:
docker login myregistry.example.com:5000
It queries me for my username, password and email (although I don't recall ever specifying an email when setting up Basic Auth).它询问我的用户名、密码和电子邮件(尽管我不记得在设置基本身份验证时指定了电子邮件)。 After entering these correctly (I have checked and double checked...) I get the following error:
正确输入这些后(我已经检查并仔细检查......)我收到以下错误:
myuser@mymachine:~/tmp$docker login myregistry.example.com:5000
Username: my_ciuser
Password:
Email: myuser@example.com
Error response from daemon: invalid registry endpoint https://myregistry.example.com:5000/v0/:
unable to ping registry endpoint https://myregistry.example.com:5000/v0/ v2 ping attempt failed with error:
Get https://myregistry.example.com:5000/v2/: x509: certificate has expired or is not yet valid
v1 ping attempt failed with error: Get https://myregistry.example.com:5000/v1/_ping: x509:
certificate has expired or is not yet valid. If this private registry supports only HTTP or
HTTPS with an unknown CA certificate, please add
`--insecure-registry myregistry.example.com:5000` to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
So from my perspective, I guess the following are possible:所以从我的角度来看,我想以下是可能的:
Any ideas/thoughts?任何想法/想法?
As said in the error message:如错误消息中所述:
... In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
... 在 HTTPS 的情况下,如果您可以访问注册中心的 CA 证书,则不需要标志; simply place the CA certificate at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
只需将 CA 证书放在 /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
where myregistry.example.com:5000
- your CN with port.其中
myregistry.example.com:5000
- 带有端口的 CN。
You should copy your ca.crt
into each Docker Daemon that will connect to your Docker Registry and put it in this folder: /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
您应该将您的
ca.crt
复制到将连接到您的 Docker Registry 的每个 Docker Daemon 中,并将其放在以下文件夹中: /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
: /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
After this action you need to restart Docker daemon, for example, via sudo service docker stop && service docker start
on CentOS (or call similar procedure on your OS).执行此操作后,您需要重新启动 Docker 守护进程,例如,在 CentOS 上通过
sudo service docker stop && service docker start
(或在您的操作系统上调用类似程序)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.