stackoom
  简体   繁体   中英

Login to private registry from inside cloud-builders/docker step fails - certificate signed by unknown authority

 原文  2020-08-07 07:17:44       docker/ ssl-certificate/ docker-registry/ google-cloud-build

Question

I need to authenticate to a private registry with a self signed certificate during a Cloud Build step. If I directly execute a docker login , for obvious reasons, this fails with an error: x509: certificate signed by unknown authority - all fine.

Typically, I'm resolving these kind of issues with the following one-liner:

openssl s_client -showcerts -connect external-registry.io:5000 < /dev/null | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/external-registry.io.crt && \
    update-ca-certificates

Sadly, it doesn't work in Cloud Build.

name: 'gcr.io/cloud-builders/docker'
env:
entrypoint: 'bash'
args:
    - '-c'
    - |
        openssl s_client -showcerts -connect external-registry.io:5000 < /dev/null | \
            sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/external-registry.io.crt && \
            update-ca-certificates

        echo password | docker login external-registry.io:5000 --username administrator --password-stdin
        ...

The above doesn't work, it fails with error: x509: certificate signed by unknown authority .

Interestingly, running the cloud-builders docker container locally everything works flawlessly as expected.

git clone https://github.com/GoogleCloudPlatform/cloud-builders.git
cd cloud-builders/docker
docker build -f ./Dockerfile-19.03.8 -t cloudbuilder .
docker run -it --entrypoint /bin/bash cloudbuilder

now inside the container:

openssl s_client -showcerts -connect external-registry.io:5000 < /dev/null | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/external-registry.io.crt && \
    update-ca-certificates

echo password | docker login external-registry.io:5000 --username administrator --password-stdin

Login Succeeded

Any explanation and / or workaround would be very appreciated. How is Google running the cloud-builder containers effectively?

Thank you and cheers!

1 answers

solution1
 0  2022-10-04 12:53:45

Have the same problem. In my case using Worker Pool to Reach a Private Registry added certs into /etc/docker/certs.d/hostname

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: exit status 1 Google Cloud Build for Python app triggered docker build fails to pull pip requirement from private artefact registry AWS SES Error: x509: certificate signed by unknown authority Cannot install private dependency from artifact registry inside docker build How to pull image from private Docker registry in KubernetesPodOperator of Google Cloud Composer? Bitbucket pipelines: Docker login to private ECR succeeds, but pull fails How to migrate docker images from private third party registry to Google artifact registry? How to debug docker push to google cloud artifacts registry error "manifest unknown: Requested entity was not found."? running commands from cloud-builders-community/sonarqube/ AWS Batch not working with private docker registry
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM