带有工件的Docker推送

Question

I am trying to create a local docker repository where I can push my images into.For this I have done the following steps

Configured nginx with SSL Configured nginx so that it binds the docker local repo with the server name Following is my nginx configuration

upstream artifactory_lb {
        server myLb.company.com:8081;
        server myLb.company.com:8081 backup;
}

log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name  to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';

server {
        listen 80;
        listen 443 ssl;

        ssl_certificate  /etc/nginx/ssl/my-certs/myCert.pem;
        ssl_certificate_key /etc/nginx/ssl/my-certs/myserver.key;
        client_max_body_size 2048M;
        location / {
                proxy_set_header Host $host:$server_port;
                proxy_pass http://artifactory_lb;
                proxy_read_timeout 90;
        }
        access_log /var/log/nginx/access.log upstreamlog;
        location /basic_status {
                stub_status on;
                allow all;
                }
}

# Server configuration

server {
    listen 2222 ssl;

    server_name myLb.company.com;
    if ($http_x_forwarded_proto = '') {
        set $http_x_forwarded_proto  $scheme;
    }

    rewrite ^/(v1|v2)/(.*) /api/docker/my_local_repo_key/$1/$2;
    client_max_body_size 0;
    chunked_transfer_encoding on;
    location / {
    proxy_read_timeout  900;
    proxy_pass_header   Server;
    proxy_cookie_path ~*^/.* /;
    proxy_pass         http://artifactory_lb;
    proxy_set_header   X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host;
    proxy_set_header    X-Forwarded-Port  $server_port;
    proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header    Host              $http_host;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
    }
}

When I try to push a docker image - docker push https://myLb.comapny.com/docker/api/image_name I get the following error

v2 ping attempt failed with error: Get https://myLb.company.com/v2/: x509: certificate signed by unknown authority

Note: I did check the authority of the certificate and the other repositories in artifactory work with no issues

Also installed the certificate under /etc/docker/certs.d and etc/ssl/ca-certificates and usr/local/share/ca-certificates

What am I missing?

Answer 1

You may be missing the certificate chain from the Nginx config.

See: http://nginx.org/en/docs/http/configuring_https_servers.html#chains

How you get this chain certificate (intermediate certificate) depends on your certificate authority. You should be able to find it via your CA instructions. For example, for GoDaddy, the instructions point you towards this repository where you can find the intermediate certificate chain: https://certs.godaddy.com/repository