x509：Kube.netes 中未知授权机构签名的证书（可能是因为“crypto/rsa：验证错误”）

Question

I have already deployed a local registry which listens on 192.168.xx.xx:5000 .我已经部署了一个监听192.168.xx.xx:5000的本地注册表。

In /etc/hosts I have added:在/etc/hosts我添加了：

192.168.xx.xx my.local.registry

and using sudo vim /etc/docker/daemon.json I have added:并使用sudo vim /etc/docker/daemon.json我添加了：

{ "insecure-registries":["my.local.registry:5000"] } { “不安全注册表”：[“my.local.registry:5000”] }

Then I pushed an image on it using:然后我使用以下方法在其上推送图像：

sudo docker tag hello-world my.local.registry:5000/hello-world
sudo docker push my.local.registry:5000/hello-world

Everything works as excpected.一切都按预期工作。 In https://my.local.registry:5000/v2/_catalog I am able to see the pushed image:在https://my.local.registry:5000/v2/_catalog ，我可以看到推送的图像：

{"repositories":["hello-world"]} {“存储库”：[“你好世界”]}

In the next step, I wanted to create a pod, thus a Deployment which will be able to download the image from my local registry.在下一步中，我想创建一个 pod，从而创建一个 Deployment，它将能够从我的本地注册表下载图像。 Example:例子：

apiVersion: apps/v1
kind: Deployment
metadata:
  name: registry-test
  labels:
    app: registry-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: registry-test
  template:
    metadata:
      labels:
        app: registry-test
    spec:
      containers:
      - name: registry-test
        image: my.local.registry:5000/hello-world

I have generated my own certificate using:我使用以下方法生成了自己的证书：

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ./certs/tls.key -x509 -days 365  -subj "/C=GR/ST=./L=./O=./CN=my.local.registry" -addext "subjectAltName = DNS:my.local.registry" -out ./certs/tls.crt

and then I created a folder sudo mkdir -p /etc/docker/certs.d/my.local.registry:5000 where I put the newly created certificate using sudo scp certs/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt然后我创建了一个文件夹sudo mkdir -p /etc/docker/certs.d/my.local.registry:5000我使用sudo scp certs/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt放置了新创建的证书sudo scp certs/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt

Then I added sudo cp certs/tls.crt /usr/local/share/ca-certificates/ca.crt and finally I executed:然后我添加了sudo cp certs/tls.crt /usr/local/share/ca-certificates/ca.crt最后我执行了：

sudo update-ca-certificates 
sudo service docker restart
sudo systemctl restart containerd

However, when I apply the Deployment with kubectl apply -f mytestDeployment.yaml I get但是，当我使用kubectl apply -f mytestDeployment.yaml应用 Deployment 时，我得到

Failed to pull image "my.local.registry:5000:5000/hello-world": rpc error: code = Unknown desc = failed to pull and unpack image "my.local.registry:5000:5000/hello-world:latest": failed to resolve reference "my.local.registry:5000:5000/hello-world:latest": failed to do request: Head "https://my.local.registry:5000:5000/v2/hello-world/manifests/latest": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "my.local.registry:5000")拉取图像“my.local.registry:5000:5000/hello-world”失败：rpc 错误：code = Unknown desc = 拉取和解压图像“my.local.registry:5000:5000/hello-world:latest”失败“：无法解析引用“my.local.registry:5000:5000/hello-world:latest”：无法执行请求：Head“https://my.local.registry:5000:5000/v2/hello-world /manifests/latest": x509: 由未知权威机构签署的证书（可能是因为在尝试验证候选权威机构证书“my.local.registry:5000”时出现“crypto/rsa: verification error”）

There are plenty of answers in SO regarding this matter, however I am not able to fix this.关于这个问题，SO 中有很多答案，但我无法解决这个问题。 Does anyone know what am I missing here?有谁知道我在这里错过了什么？

UPDATE更新

I am also using a DeamonSet:我也在使用 DeamonSet：

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: registry-ca
  namespace: ches
  labels:
    k8s-app: registry-ca
spec:
  selector:
    matchLabels:
      name: registry-ca
  template:
    metadata:
      labels:
        name: registry-ca
    spec:
      containers:
      - name: registry-ca-docker
        image: busybox
        command: [ 'sh' ]
        args: [ '-c', 'mkdir /etc/docker/certs.d/my.local.registry:5000 && cp /home/core/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt && exec tail -f /dev/null' ]
        volumeMounts:
        - name: etc-docker
          mountPath: /etc/docker/certs.d
        - name: ca-cert
          mountPath: /home/core
      - name: registry-ca-containerd
        image: busybox
        command: [ 'sh' ]
        args: [ '-c', 'cat /home/core/tls.crt > /home/core-containerd/ca.crt && exec tail -f /dev/null']
        volumeMounts:
        - name: ca-cert
          mountPath: /home/core
        - name: etc-containerd
          mountPath: /home/core-containerd
      terminationGracePeriodSeconds: 30
      volumes:
      - name: etc-docker
        hostPath:
          path: /etc/docker/certs.d
      - name: ca-cert
        secret:
          secretName: ches-registry-secret
      - name: etc-containerd
        hostPath:
          path: /usr/local/share/ca-certificates

However the error persists.但是错误仍然存在。

Answer 1

Actually you did everything right setting up your private registry.实际上，您在设置私有注册表时所做的一切都是正确的。 However Kube.netes doesn't allow pulling images from insecure private registries (yes, a self-signed certificate is still considered "insecure").然而，Kube.netes 不允许从不安全的私有注册表中提取镜像（是的，自签名证书仍然被认为是“不安全的”）。

I'm afraid you have to tell every Kube.netes node that your my.local.registry is either an insecure registry or place the certificate file in every node (as described in the second link of Priyanka's answer).恐怕你必须告诉每个 Kube.netes 节点你的my.local.registry是一个不安全的注册表或者将证书文件放在每个节点中（如 Priyanka 答案的第二个链接中所述）。

A different option might be to create a certificate using letsencrypt, so it's signed by a known certificate authority, thus being "secure".一个不同的选择可能是使用 letsencrypt 创建一个证书，因此它由一个已知的证书颁发机构签名，因此是“安全的”。 But that limits the use of custom domain names.但这限制了自定义域名的使用。

x509：Kube.netes 中未知授权机构签名的证书（可能是因为“crypto/rsa：验证错误”）

问题描述

1 个解决方案

解决方案1
0 2022-11-22 21:15:22

x509：Kube.netes 中未知授权机构签名的证书（可能是因为“crypto/rsa：验证错误”）

问题描述

1 个解决方案

解决方案1 0 2022-11-22 21:15:22

解决方案1
0 2022-11-22 21:15:22