I have private harbor server with self-singed cert, put on, let's say 192.168.100.20, also dns in my network resolves this to harbor.ksa.
Now i want to pull images from this server, and I am adding:
"insecure-registries" : ["https://harbor.ksa", "https://192.168.100.20"]
in daemon.json, but for some reason it only works for IP address, when I am trying to pull from harbor.ksa I get:
x509: certificate signed by unknown authority
But both IP and DNS resolve to the same service with the same certificate
Related
I'm on a corporate intranet. The container host is a Windows server and the container will be deployed in a Nano Server. I have an ASP.NET Core site that's using Kestrel.
I'm able to get a self-signed cert successfully installed via a volume but our browsers throw up a cert validation error. The issue of getting a valid cert installed is that the container site is only viewable via an IP address and I'm aware you can't tie a non-self-signed cert to an IP. Being this is intranet, the IP address is obviously not public. Would a corporate-level cert work for a container host that's a member server?
Any ideas are appreciated.
I'm trying to create a secure private Docker registry that would work only in the local network and be accessed by IP address.
I have read a lot of articles regarding this issue but most of them talk about the need to have a registered domain name that points to a valid public IP address ( where the registry is ) , and then obtaining a certificate for such domain.
I'd like to know if there's a way of creating a docker registry with the following properties:
accessible only from the local network
secured with a valid certificate ( not the self signed certificate which is still considered "insecure" by docker )
How would I obtain a valid certificate for such a registry? I understand that certificates cannot be created for IP addresses alone, but can I generate a certificate for a domain that is registered but doesn't point to any public IP ( I've read something about dns-01 challenge, so I belive it's possible ) and then use that certificate, provided I map the said domain to the local IP of the server in my hosts file.
If this isn't possible, what is the best alternative for creative a secure, local, private docker registry?
Use Nginx to secure your Docker Registry.
The relevant documentation is here:
https://github.com/docker/distribution/tree/master/contrib/compose
You can use self-signed certificates if you add the root CA to /usr/local/share/ca-certificates and run update-ca-certificates command on the clients.
I have a website that I'm running on a digital ocean droplet, which I want to continuously deploy via docker and a Teamcity build server which I have running on my home server. I want to enable https on my docker repo, with a self signed certificate, and without a domain name.
Let's say my home's ip address is 10.10.10.10 and the docker repo is running on port 5000.
I followed the steps here, however docker on my website complained that it cannot connect to the docker repo on my homeserver because it doesn't specify an IP in the SAN extension.
Okay. So I created a new certificate without the CN field and only an IP in the SAN, and now my cert config on my website looks like...
/etc/docker/certs.d/10.10.10.10:5000/ca.crt
I also added the cert to my general certs (Ubuntu 16.04 btw)
Then I try to pull the image from my home server to my website...
docker pull 10.10.10.10:5000/personal_site:latest
However, I'm getting this error.
Error response from daemon: Get https://10.10.10.10:5000/v1/_ping: x509:
certificate signed by unknown authority (possibly because of "x509:
invalid signature: parent certificate cannot sign this kind of
certificate" while trying to verify candidate authority certificate "serial:xxx")
I thought by adding my cert to the /etc/docker/... it would accept a self-signed cert. Anyone have any advice here?
You can't used a self signed certificate for this, it needs to be a CA certificate. Follow the same steps required to create a certificate for a docker host and store your CA in /etc/docker/certs.d/.... Or you can also define 10.10.10.10 as an insecure registry as part of the docker daemon startup (dockerd --insecure-registry 10.10.10.10:5000 ...) and docker should ignore any certificate issues.
I just did the same thing with this instructions create private repo with password without domain and ssl. That will require you to add certificate on client and domain on host file (if you love to have an domain yourself without registering new domain)
I have install docker on a windows 7 machine, if I connect to Internet outside my company network everything works fine, but when I connect to Internet from my company network, and try to pull a image from dockerhub, I just get the "docker: Network timed out while trying to connect to .... You may want to check your internet connection or if you are behind a proxy..".
I have edited the /var/lib/boot2docker/profile file by adding following two lines
export "HTTP_PROXY=http://me:mypassword#proxyhost:proxyport"
export "HTTPS_PROXY=http://me:mypassword#proxyhost:proxyport"
rebooted the docker machine and try to pull an image and get the following error;
Error while pulling image: Get https://index.docker.io/v1/repositories/library/ubuntu/images: x509: certificate signed by unknown authority
edit: CA certification details
The problem is your corporate proxy is using it's own SSL certificate which Docker doesn't trust. What you're going to have to do is to download a copy of the CA certificate and trust it on any machines you want to use behind the firewall. Check this answer for how to trust a certificate:
Docker behind proxy that changes ssl certificate
Docker version 1.2.0, build 2a2f26c/1.2.0,
docker registry 0.8.1
i setup docker private registry on cenots7 and created my custom ssl cert. when I try to access my docker registry using https I get x509: certificate signed by unknown authority. i found a solution for this by placing the cert file under "/etc/pki/tls/certs" then do
"update-ca-trust"
"service docker restart"
now it started to read my certificate.i can login and pull and push to docker private registry
"https://localdockerregistry".
now when i tries to read from online docker registry(https://index.docker.io/v1/search?q=centos) like
"docker search centos"
i get
"Error response from daemon: Get https://index.docker.io/v1/search?q=centos: x509: certificate signed by unknown authority"
i exported docker.io cert from firefox brower and put it under "/etc/pki/tls/certs" then do "update-ca-trust" and "service docker restart" but same error. it looks like docker client cant decide which cert to use for which repository.
Any ideas how we can fix "x509: certificate signed by unknown authority" for online docker registry while using your own docker private registry.
The correct place to put the certificate is on the machine running your docker daemon (not the client) in this location: /etc/docker/certs.d/my.registry.com:5000/ca.crt where my.registry.com:5000 is the address of your private registry and :5000 is the port where your registry is reachable. If the path /etc/docker/certs.d/ does not exist, you should create it -- that is where the Docker daemon will look by default.
This way you can have a private certificate per private registry and not affect the public registry.
This is per the docs on http://docs.docker.com/reference/api/registry_api/
I had the problem with a docker registry running in a container behind a Nginx proxy with a StartSSL certificate.
In that case you have to append the intermediate ca certs to the nginx ssl certificate, see https://stackoverflow.com/a/25006442/1130611