堆栈内存溢出
  简体   繁体   English

使用自签名证书配置本地注册表

[英]Configuring local registry with self-signed certificate

 原文  2017-11-11 13:16:56       docker/ openssl/ docker-registry

问题描述

I want to configure a local docker registry with self-signed certificate which i will be using inside my local network.我想使用我将在本地网络中使用的自签名证书配置本地 docker 注册表。 I'm following instruction from docker manual [1, 2], but nevertheless run into errors.我正在遵循 docker 手册 [1, 2] 中的说明,但还是遇到了错误。

Precisely, my problem is following.准确地说,我的问题如下。 I create a self signed certificate on the local registry machine:我在本地注册机上创建了一个自签名证书:

openssl req \                                 
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt \
  -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=openmpi-dockerregistry.local"

I put this certificate into /etc/docker/certs.d/openmpi-dockerregistry:443/ca.crt on each of the local machines.我将此证书放入/etc/docker/certs.d/openmpi-dockerregistry:443/ca.crt本地机器上的/etc/docker/certs.d/openmpi-dockerregistry:443/ca.crt

Then I start registry and push an image there.然后我启动注册表并在那里推送一个图像。 Since I do not have DNS configured inside my network, I just put an entry into /etc/hosts .由于我的网络中没有配置 DNS,我只是在/etc/hosts输入了一个条目。

Next I try to pull the image on the local machine, but this operation fails:接下来我尝试拉取本地机器上的镜像,但是这个操作失败了:

$ docker run -it openmpi-dockerregistry.local:443/hello-world
Unable to find image 'openmpi-dockerregistry.local:443/hello-world:latest' locally
docker: Error response from daemon: Get https://openmpi-dockerregistry.local:443/v2/: x509: certificate is not valid for any names, but wanted to match openmpi-dockerregistry.local.
See 'docker run --help'.

I'm very suspicious about message "x509: certificate is not valid for any names", which sounds that I did not specify CN correctly, but reading the certificate indicates the opposite ( full output ):我对消息“x509:证书对任何名称都无效”非常怀疑,这听起来我没有正确指定 CN,但阅读证书表明相反( 完整输出):

 $ openssl x509 -text -noout -in certs/domain.crt
 ....
    Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Oregon, L = Portland, O = Company Name, OU = Org, CN = openmpi-dockerregistry.local
 ....

Another option which I tried is to access the register directly by IP.我尝试的另一个选项是直接通过 IP 访问寄存器。 I followed a manual[3] and added IP SAN to the certificate.我按照手册 [3] 并将 IP SAN 添加到证书中。 Additionally I also set CN=*.另外我还设置了 CN=*。 So that the resulting certificate now contains following ( full ):这样生成的证书现在包含以下( 完整):

        X509v3 extensions:
            X509v3 Subject Alternative Name: 
               IP Address:<ip address>

But now when I try to pull the image I get following error message:但是现在当我尝试拉图像时,我收到以下错误消息:

$ docker run -it  <ip>:443/hello-world
Unable to find image '<ip>:443/hello-world:latest' locally
docker: Error response from daemon: Get https://<ip>:443/v2/: x509: cannot validate certificate for <ip> because it doesn't contain any IP SANs.
See 'docker run --help'

Although the file /etc/docker/certs.d/<ip>:443/ca.crt contains the IP address.尽管文件/etc/docker/certs.d/<ip>:443/ca.crt包含 IP 地址。

Could you help me to find a way to pull images from local registry?你能帮我找到一种从本地注册表中提取图像的方法吗?

Update更新

How do I start docker registry?如何启动 docker 注册表?

$ docker run -d \
   -v `pwd`/certs:/certs \
   -e REGISTRY_HTTP_ADDR=0.0.0.0:$REGISTRY_PORT \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
   -p $REGISTRY_PORT:$REGISTRY_PORT \
   --restart=always \
   --name registry \
   registry:2
  1. https://docs.docker.com/registry/insecure/#use-self-signed-certificates https://docs.docker.com/registry/insecure/#use-self-signed-certificates
  2. https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry
  3. https://bowerstudios.com/node/1007 https://bowerstudios.com/node/1007

3 个解决方案

解决方案1
 7 已采纳  2017-11-12 12:53:46

I think the problem is that you didn't copy the certificate and key in the /etc/docker/certs.d/ folder.我认为问题在于您没有复制/etc/docker/certs.d/文件夹中的证书和密钥。

The folder should look like this:该文件夹应如下所示:

/etc/docker/certs.d/
└── openmpi-dockerregistry.local:443
   ├── client.cert
   ├── client.key
   └── ca.crt

In my case I had no ca.crt and it worked fine.就我而言,我没有ca.crt ,它运行良好。

Reference: https://docs.docker.com/engine/security/certificates/参考: https : //docs.docker.com/engine/security/certificates/

I implemented your setup on my machine, everything worked fine after I copied domain.key and domain.crt (and renamed them) in the /etc/docker/certs.d folder.我在我的机器上实现了你的设置,在我复制了 /etc/docker/certs.d 文件夹中的 domain.key 和 domain.crt(并重命名它们)后,一切正常。 The only difference was that I used openmpi-dockerregistry as a domain instead of openmpi-dockerregistry.local唯一的区别是我使用openmpi-dockerregistry作为域而不是openmpi-dockerregistry.local

解决方案2
 2  2019-06-06 21:08:37

You need to edit your /etc/ssl/openssl.cnf to have the FQDN (openmpi-dockerregistry.local) and the IP address in the IP SANs list.您需要编辑 /etc/ssl/openssl.cnf 以在 IP SAN 列表中包含 FQDN (openmpi-dockerregistry.local) 和 IP 地址。 Add as follows:添加如下:

[ v3_ca ]


# Extensions for a typical CA
subjectAltName = @alt_names
[ alt_names ]

IP.1 = <IP>
DNS.1 = openmpi-dockerregistry.local

Now generate the cert using the following command:现在使用以下命令生成证书:

openssl req -config /etc/ssl/openssl.cnf \                                 
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt \
  -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=openmpi-dockerregistry.local"

Check whether the cert has the IP and the DNS in the IP SANs list with this command:使用以下命令检查证书是否具有 IP SAN 列表中的 IP 和 DNS:

openssl x509 -in domain.crt -text -noout

You should see something like this in the output if all went right:如果一切顺利,您应该在输出中看到类似的内容:

X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:<IP>, DNS:openmpi-dockerregistry.local

Now copy this cert in the client docker certs directory in the following location:现在将此证书复制到客户端docker certs 目录中的以下位置:

/etc/docker/certs.d/openmpi-dockerregistry.local/ca.crt

You should be good now.你现在应该很好。

解决方案3
 0  2020-07-20 03:02:44

I had the same problem.我有同样的问题。 Turned out I did not add a CN or Common Name when creating the cert.原来我在创建证书时没有添加 CN 或通用名称。 I remade the certs, remembering to include the CN, restarted the registry, and recopied the cert over to the other nodes.我重新制作了证书,记得包含 CN,重新启动注册表,并将证书重新复制到其他节点。 This solved my problem.这解决了我的问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用minikube从本地Docker注册表中提取映像(带有自签名CA证书) - Using minikube to pull image from local Docker registry (with self-signed CA certificate) 使用自签名证书将本地Docker映像推送到私有存储库 - Pushing a local Docker image to a private repository with a self-signed certificate 带有自签名证书的 Traefik - Traefik with self-signed certificate 如何使Drone Docker插件通过具有自签名TLS证书的自托管注册表进行身份验证 - How to make Drone Docker plugin to authenticate with a self-hosted registry having a self-signed TLS certificate Docker Swarm和自签名Docker Registry - Docker Swarm and self-signed Docker Registry CircleCI中的自签名Docker注册表 - Self-signed docker registry in CircleCI 如何使用自签名证书通过TLS将Docker应用程序包推送到私有注册表 - How to push a Docker Application Package to private registry via TLS using a self-signed certificate 使受信任的自签名证书不在专用网络上注册为“自签名”(即可信任) - Make trusted self-signed certificate not register as “self-signed” (i.e. trusted) on private network 对部署映像使用自签名SSL证书 - Using self-signed SSL certificate for deployment images JBoss/Keycloak 服务器:更新自签名服务器 SSL 证书 - JBoss/Keycloak Server: Update self-signed Server SSl certificate
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM