无法通过 TLS 推送到私有 docker 注册表
[英]Unable to push to private docker registry via TLS
问题描述
I have QNAP NAS behind my router with public IP 1.2.3.4.
我的路由器后面有 QNAP NAS,公共 IP 1.2.3.4。 I have certificate for xxxx.yyyy.cz.我有 xxxx.yyyy.cz 的证书。 The certificate is valid, I am able to reach my NAS over HTTPS.证书有效,我可以通过 HTTPS 访问我的 NAS。 I installed docker registry:2.7 on my NAS.我在我的 NAS 上安装了 docker registry:2.7 。 This is container environment configuratin:这是容器环境配置:
REGISTRY_HTTP_ADDR 0.0.0.0:5443
REGISTRY_HTTP_TLS_CERTIFICATE /certs/client.cert
REGISTRY_HTTP_TLS_KEY /certs/client.key
I set up port forwarding 5443 to 5443 TCP.我设置端口转发5443到5443 TCP。 In certs directory are 3 files:在 certs 目录中有 3 个文件:
/certs # ls -al
total 24
drwxrwxrwx 2 root root 4096 Oct 20 17:02 .
drwxr-xr-x 1 root root 4096 Oct 20 17:01 ..
-rwxrwxrwx 1 root root 1688 Oct 20 16:42 ca.crt
-rwxrwxrwx 1 root root 2060 Oct 20 16:42 client.cert
-rwxrwxrwx 1 root root 1704 Oct 20 16:42 client.key
I am able to get response from registry with curl or via browser:我可以使用 curl 或通过浏览器从注册表获得响应:
$ curl --cacert Downloads/certs/ca.crt https://xxxx.yyyy.cz:5443/v2/_catalog ; echo $?
{"repositories":[]}
0
So I am sure certificate are right and registry is running correctly.所以我确信证书是正确的并且注册表运行正常。 When I see the container logs, I am still receiving this messages:当我看到容器日志时,我仍然收到以下消息:
2019/10/20 17:51:10 http: TLS handshake error from 1.2.3.4:58164: tls: first record does not look like a TLS handshake
2019/10/20 17:51:30 http: TLS handshake error from 1.2.3.4:58334: tls: first record does not look like a TLS handshake
2019/10/20 17:51:50 http: TLS handshake error from 1.2.3.4:58498: tls: first record does not look like a TLS handshake
2019/10/20 17:52:11 http: TLS handshake error from 1.2.3.4:58654: tls: first record does not look like a TLS handshake
2019/10/20 17:52:31 http: TLS handshake error from 1.2.3.4:58810: tls: first record does not look like a TLS handshake
2019/10/20 17:52:51 http: TLS handshake error from 1.2.3.4:58982: tls: first record does not look like a TLS handshake
2019/10/20 17:53:12 http: TLS handshake error from 1.2.3.4:59136: tls: first record does not look like a TLS handshake
When I try to push something to my registry, I am receiving error:当我尝试将某些内容推送到我的注册表时,我收到错误消息:
$ docker push xxxx.yyyy.cz:5443/myimage:latest
The push refers to repository [xxxx.yyyy.cz:5443/myimage]
Get https://xxxx.yyyy.cz:5443/v2/: x509: certificate signed by unknown authority
and in docker logs I can see error message:在 docker 日志中,我可以看到错误消息:
2019/10/20 18:43:28 http: TLS handshake error from 1.2.3.4:41632: remote error: tls: bad certificate
I used this and this instructions, but it did not helped.我使用了这个和这个说明,但它没有帮助。 After I logged to the container, I checked my cert files sha256, they are okay.登录到容器后,我检查了我的证书文件 sha256,它们没问题。
- How can I use TLS on my docker registry and why it does not accept my certs?如何在我的 docker 注册表上使用 TLS,为什么它不接受我的证书?
- Why it does not work via docker command?为什么它不能通过 docker 命令工作?
1 个解决方案
解决方案1
2 已采纳 2019-10-27 21:12:30
I had problem with client.cert .我对client.cert有问题。 It should contains also ca.crt as its mentioned here in section USE AN INTERMEDIATE CERTIFICATE :它还应该包含ca.crt ,正如它在USE AN INTERMEDIATE CERTIFICATE部分中提到的那样:
A certificate issuer may supply you with an intermediate certificate.证书颁发者可能会为您提供中间证书。 In this case, you must concatenate your certificate with the intermediate certificate to form a certificate bundle.在这种情况下,您必须将您的证书与中间证书连接起来以形成一个证书包。 You can do this using the cat command:您可以使用 cat 命令执行此操作:
cat domain.crt intermediate-certificates.pem > certs/domain.crt
You can use the certificate bundle just as you use the domain.crt file in the previous example.您可以像在上一个示例中使用 domain.crt 文件一样使用证书包。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.