Docker私有注册表-推送到“不安全的注册表”仍然抱怨“未知权限”

Question

I have a remote Docker registry setup. It has a go-daddy SSL cert installed.

If I curl it I get an 'unknown authority' error:

curl https://example.com:5000/v2/

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none 
More details here: http://curl.haxx.se/docs/sslcerts.html

...

If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

So I then use the 'insecure' curl:

curl -k https://example.com:5000/v2

and I get

{} //which I guess is because there is nothing in the registry?

to check, I curl a non-existent endpoint:

curl -k https://example.com:5000/moo

404 page not found //which is positive, as it means the -k flag is suppressing the 'unknown authority' correctly

So, now I know that it is possible to connect to the registry by curl I try using Docker client to push an image:

docker push example.com:5000/my-image

The push refers to a repository [example.com:5000/my-image] 
unable to ping registry endpoint https://example.com:5000/v0/
v2 ping attempt failed with error: Get https://example.com:5000/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://example.com:5000/v1/_ping: x509: certificate signed by unknown authority

So I then try to suppress the error by adding 'insecure-registry' to DOCKER_OPTS (as explained here ):

DOCKER_OPTS="--insecure-registry example.com:5000"

[restart docker daemon]

And it does not work. I get the same 'unknown authority' warning.

Firstly, why is a certificate from Go Daddy not trusted? I have it setup on an nginx server and it is working fine with the 'green bar' on the browser.

Secondly, how can I get the 'insecure-registry' to work with Docker? Thanks

Answer 1

Ok, I got to the bottom of this.

Turns out I didn't need to modify /etc/default/docker with this:

DOCKER_OPTS="--insecure-registry example.com:5000"

The issue was that the Go-Daddy certificate I installed in the registry needed to have the intermediate certificates too. I received the following from Go-Daddy:

domain.crt
some-bundle.crt

You need to

cat bundle.crt >> domain.crt

so that the certificate chain is complete. Then it all works fine