堆栈内存溢出
  简体   繁体   English

尝试登录到受信任的(?)Docker注册表时出现X509错误

[英]x509 error when trying to login to a trusted (?) docker registry

 原文  2017-11-08 16:11:37       ssl/ docker/ ssl-certificate/ x509certificate/ docker-registry

问题描述

I have set up a docker registry using harbor. 我已经使用Harbor建立了一个docker注册表。

I have copied the appropriate certificates in /usr/share/local/ca-certificates and run sudo update-ca-certificates with success. 我已经在/usr/share/local/ca-certificates复制了适当的证书,并成功运行sudo update-ca-certificates (indicated the number of newly certs added). (指示添加的新证书的数量)。

When trying to login to the specific registry: 尝试登录到特定注册表时: 

ubuntu@master1:/home/vagrant$ docker login my.registry.url
Username: pkaramol
Password: 
Error response from daemon: Get https://my.registry.url/v2/: x509: certificate signed by unknown authority

However the following test succeeds: 但是,以下测试成功: 

openssl s_client -connect my.registry.url:443 -CApath /etc/ssl/certs/

...coming back with a lot of verbose output, the certificate itself and ending in : ...返回大量详细输出,即证书本身,结尾为: 

Verify return code: 0 (ok)

curl also succeeds to the above https link (it fails when the site is not trusted). curl还可以成功访问上述https链接(当该站点不受信任时失败)。

Any suggestions? 有什么建议么?

1 个解决方案

解决方案1
 0  2017-11-08 16:22:29

If you read the documentation 如果您阅读文档

Use self-signed certificates 使用自签名证书

Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below) This is more secure than the insecure registry solution. 警告:与基本身份验证一起使用时,还需要将某些版本的Docker的证书信任到OS证书存储中(请参阅下文),这比不安全的注册表解决方案更安全。

Generate your own certificate: 生成自己的证书: 

$ mkdir -p certs

$ openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt

Be sure to use the name myregistrydomain.com as a CN. 确保将名称myregistrydomain.com用作CN。

Use the result to start your registry with TLS enabled. 使用结果在启用TLS的情况下启动注册表。

Instruct every Docker daemon to trust that certificate. 指示每个Docker守护程序信任该证书。 The way to do this depends on your OS. 执行此操作的方法取决于您的操作系统。

Linux: Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. Linux:domain.crt文件复制到每个Docker主机上的/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt You do not need to restart Docker. 您无需重启Docker。

See below link for more details 请参阅下面的链接以获取更多详细信息

https://docs.docker.com/registry/insecure/#use-self-signed-certificates https://docs.docker.com/registry/insecure/#use-self-signed-certificates

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 docker login 自托管注册表 = x509:由未知机构签署的证书 - docker login self hosted registry = x509: certificate signed by unknown authority X509:使用 docker 从远程计算机登录时由未知权限签署的证书 - X509: certfificate signed by unknown authority when using docker login from a remote machine Docker登录x509:证书由未知权威签署 - Docker login x509: certificate signed by unknown authority 在Mono上验证x509证书(OS X可信根) - Validating x509 certificate on Mono (OS X trusted roots) openssl x509-SSL证书的受信任和拒绝用途是什么? - openssl x509 - what is trusted and rejected uses of SSL certificate? Docker + SSL + apache2 + x509 - Docker + SSL + apache2 + x509 当我尝试通过 HTTPs 连接我的 docker 时出现错误:x509: certificate is valid for 0.0.0.0, not<my container ip></my> - I got an error when I try to connect my docker via HTTPs: x509: certificate is valid for 0.0.0.0, not <My Container IP> error = x509的含义是什么:证书对用户A有效,而不对Docker中的localhost有效? - What is the meaning of error=x509: certificate is valid for user A, not localhost in Docker? Docker数据中心:由未知授权UCP 2.0.0和DTR 2.1.0使用外部证书签名的错误x509证书 - Docker Datacenter: Error x509 certificate signed by unknown authority UCP 2.0.0 and DTR 2.1.0 with external certificates Traefik 2.0 &amp; Docker TLS 配置错误:未能加载 X509 密钥对 - Traefik 2.0 & Docker TLS configuration error: failed to load X509 key pair
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM