[英]x509 error when trying to login to a trusted (?) docker registry
I have set up a docker registry using harbor. 我已经使用Harbor建立了一个docker注册表。
I have copied the appropriate certificates in /usr/share/local/ca-certificates
and run sudo update-ca-certificates
with success. 我已经在/usr/share/local/ca-certificates
复制了适当的证书,并成功运行sudo update-ca-certificates
。 (indicated the number of newly certs added). (指示添加的新证书的数量)。
When trying to login to the specific registry: 尝试登录到特定注册表时:
ubuntu@master1:/home/vagrant$ docker login my.registry.url
Username: pkaramol
Password:
Error response from daemon: Get https://my.registry.url/v2/: x509: certificate signed by unknown authority
However the following test succeeds: 但是,以下测试成功:
openssl s_client -connect my.registry.url:443 -CApath /etc/ssl/certs/
...coming back with a lot of verbose output, the certificate itself and ending in : ...返回大量详细输出,即证书本身,结尾为:
Verify return code: 0 (ok)
curl
also succeeds to the above https
link (it fails when the site is not trusted). curl
还可以成功访问上述https
链接(当该站点不受信任时失败)。
Any suggestions? 有什么建议么?
If you read the documentation 如果您阅读文档
Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below) This is more secure than the insecure registry solution. 警告:与基本身份验证一起使用时,还需要将某些版本的Docker的证书信任到OS证书存储中(请参阅下文),这比不安全的注册表解决方案更安全。
Generate your own certificate: 生成自己的证书:
$ mkdir -p certs
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Be sure to use the name myregistrydomain.com as a CN. 确保将名称myregistrydomain.com用作CN。
Use the result to start your registry with TLS enabled. 使用结果在启用TLS的情况下启动注册表。
Instruct every Docker daemon to trust that certificate. 指示每个Docker守护程序信任该证书。 The way to do this depends on your OS. 执行此操作的方法取决于您的操作系统。
Linux: Copy the domain.crt
file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
on every Docker host. Linux:将domain.crt
文件复制到每个Docker主机上的/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
。 You do not need to restart Docker. 您无需重启Docker。
See below link for more details 请参阅下面的链接以获取更多详细信息
https://docs.docker.com/registry/insecure/#use-self-signed-certificates https://docs.docker.com/registry/insecure/#use-self-signed-certificates
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.