[英]Unable to push to private docker registry via TLS
I have QNAP NAS behind my router with public IP 1.2.3.4.我的路由器后面有 QNAP NAS,公共 IP 1.2.3.4。 I have certificate for xxxx.yyyy.cz.
我有 xxxx.yyyy.cz 的证书。 The certificate is valid, I am able to reach my NAS over HTTPS.
证书有效,我可以通过 HTTPS 访问我的 NAS。 I installed docker
registry:2.7
on my NAS.我在我的 NAS 上安装了 docker
registry:2.7
。 This is container environment configuratin:这是容器环境配置:
REGISTRY_HTTP_ADDR 0.0.0.0:5443
REGISTRY_HTTP_TLS_CERTIFICATE /certs/client.cert
REGISTRY_HTTP_TLS_KEY /certs/client.key
I set up port forwarding 5443 to 5443 TCP.我设置端口转发5443到5443 TCP。 In certs directory are 3 files:
在 certs 目录中有 3 个文件:
/certs # ls -al
total 24
drwxrwxrwx 2 root root 4096 Oct 20 17:02 .
drwxr-xr-x 1 root root 4096 Oct 20 17:01 ..
-rwxrwxrwx 1 root root 1688 Oct 20 16:42 ca.crt
-rwxrwxrwx 1 root root 2060 Oct 20 16:42 client.cert
-rwxrwxrwx 1 root root 1704 Oct 20 16:42 client.key
I am able to get response from registry with curl or via browser:我可以使用 curl 或通过浏览器从注册表获得响应:
$ curl --cacert Downloads/certs/ca.crt https://xxxx.yyyy.cz:5443/v2/_catalog ; echo $?
{"repositories":[]}
0
So I am sure certificate are right and registry is running correctly.所以我确信证书是正确的并且注册表运行正常。 When I see the container logs, I am still receiving this messages:
当我看到容器日志时,我仍然收到以下消息:
2019/10/20 17:51:10 http: TLS handshake error from 1.2.3.4:58164: tls: first record does not look like a TLS handshake
2019/10/20 17:51:30 http: TLS handshake error from 1.2.3.4:58334: tls: first record does not look like a TLS handshake
2019/10/20 17:51:50 http: TLS handshake error from 1.2.3.4:58498: tls: first record does not look like a TLS handshake
2019/10/20 17:52:11 http: TLS handshake error from 1.2.3.4:58654: tls: first record does not look like a TLS handshake
2019/10/20 17:52:31 http: TLS handshake error from 1.2.3.4:58810: tls: first record does not look like a TLS handshake
2019/10/20 17:52:51 http: TLS handshake error from 1.2.3.4:58982: tls: first record does not look like a TLS handshake
2019/10/20 17:53:12 http: TLS handshake error from 1.2.3.4:59136: tls: first record does not look like a TLS handshake
When I try to push something to my registry, I am receiving error:当我尝试将某些内容推送到我的注册表时,我收到错误消息:
$ docker push xxxx.yyyy.cz:5443/myimage:latest
The push refers to repository [xxxx.yyyy.cz:5443/myimage]
Get https://xxxx.yyyy.cz:5443/v2/: x509: certificate signed by unknown authority
and in docker logs I can see error message:在 docker 日志中,我可以看到错误消息:
2019/10/20 18:43:28 http: TLS handshake error from 1.2.3.4:41632: remote error: tls: bad certificate
I used this and this instructions, but it did not helped.我使用了这个和这个说明,但它没有帮助。 After I logged to the container, I checked my cert files sha256, they are okay.
登录到容器后,我检查了我的证书文件 sha256,它们没问题。
I had problem with client.cert
.我对
client.cert
有问题。 It should contains also ca.crt
as its mentioned here in section USE AN INTERMEDIATE CERTIFICATE :它还应该包含
ca.crt
,正如它在USE AN INTERMEDIATE CERTIFICATE部分中提到的那样:
A certificate issuer may supply you with an intermediate certificate.证书颁发者可能会为您提供中间证书。 In this case, you must concatenate your certificate with the intermediate certificate to form a certificate bundle.
在这种情况下,您必须将您的证书与中间证书连接起来以形成一个证书包。 You can do this using the cat command:
您可以使用 cat 命令执行此操作:
cat domain.crt intermediate-certificates.pem > certs/domain.crt
You can use the certificate bundle just as you use the domain.crt file in the previous example.您可以像在上一个示例中使用 domain.crt 文件一样使用证书包。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.