[英]Simple docker command does not work: x509: cannot validate certificate
[英]Nexus private docker pull image failing with x509: cannot validate certificate error
我在CentOS-7.6上安裝了Nexus-3.15.2-01 ,Nginx反向代理和配置為通過Https訪問的SSL自簽名證書。 https訪問在瀏覽器上正常工作。
Nexus Docker私有存儲庫https方法已激活。
從我的docker主機,當我試圖從我的nexus私有docker hub服務器中提取docker鏡像時,它失敗了,如下所示。
docker pull 101.102.103.104:5051/docker-image-14:1
Error response from daemon: Get https:// 101.102.103.104:5051/v2/: x509: cannot validate certificate for 101.102.103.104 because it doesn't contain any IP SANs
我已將我的nexus.crt文件移動到docker host /etc/docker/certs.d/101.102.103.104:5051/
location。 還是行不通。
在Docker注冊表中,必須使用subjectAltName編譯證書,如文檔中所述:
您可以嘗試創建這樣的證書:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=101.102.103.104" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:101.102.103.104,IP:101.102.103.104,IP:127.0.0.1 >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
然后,您可以使用以下命令驗證證書中是否存在主題備用名稱(SAN):
openssl x509 -in server-cert.pem -text -noout
現在再試一次。 不要忘記將新證書放到/etc/docker/certs.d/101.102.103.104:5051/
如果在此之后您收到新錯誤x509: certificate signed by unknown authority
在/etc/default/docker
,您需要指定DOCKER_OPTS="--insecure-registry 101.102.103.104:5051"
選項: DOCKER_OPTS="--insecure-registry 101.102.103.104:5051"
然后重啟守護進程(如果不允許用戶啟動docker服務,則添加sudo):
$ [sudo] service docker restart
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.