I'm trying to use cosign to sign container images in a local docker registry. However, when I try I keep getting the error remote error: tls: bad certificate. I'm fairly sure this is because cosign doesn't know where to find the cert files for the registry - I can push and pull from the registry just fine, and I've verified the cert chain using openssl. However, I've looked through the Github documentation and the --help info for cosign, and I can't see how to tell it which certs to use. There are the --cert and --cert-chain options, which I have tried, but as far as I can tell those basically include the certs as part of the signature rather than using them to connect to the server. Any help is appreciated!
Related
A container running behind a K8s service fails to make network requests with the error x509: certificate signed by unknown authority.
The container is an API that serves incoming requests and makes external network requests before responding, it's running in a local K8s cluster managed by Docker desktop. The third party API being called is failing the certificate validation and Im not using a proxy or VPN.
What could be the cause of this?
I hope this helps someone else as there are many different discussions about this topic online.
The fix seems to be that when doing a multi stage docker build and using e.g. FROM golang:alpine3.14 AS build along with FROM scratch, the root certificates are not copied into the image.
adding this to the Dockerfile after the FROM scratch line removes the error.
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
This was found on this stackoverflow answer
I'm trying to use registry.centos.org with docker.
I've tried the add the below to /etc/docker/daemon.json as, intuitively this would seem like the obvious place to add it, and the logical variable name.
{
"insecure-registries": ["172.30.0.0/16"],
"secure-registries": ["registry.centos.org"]
}
I then tried to restart the docker service, but it failed to restart.
Google provides lots of links on how to setup a secure registry, but I couldnt find any info on how to add new secure registries to docker configuration.
Likewise the website for registry.centos.org also doesnt provide any info on how to do this.
If you are able to pull the image, then there's nothing further to do. All external registries by default are secure, which means docker will require a TLS connection and valid certificate for the registry server. The insecure registry section is to allow exceptions to this rule.
There is also the option to override the CA certificate for a registry server, which is useful if you have a self hosted registry server, with TLS, but an unknown CA. For this, you would place the CA certificate, and any intermediate certificates, in /etc/docker/certs.d/${hostname}:${port}/ca.crt e.g. /etc/docker/certs.d/registry.example.com:5000/ca.crt.
I am running gitlab and gitlab-runner in the 2 docker containters.
I create self-signed certificates for gitlab following this manual http://clusterfrak.com/sysops/linux/linux_self_signed_certificate/
I can access gitlab from the browser https://my_ip
But when I am trying to register gitlab-runner but I am getting error:
x509: cannot validate certificate for 192.168.1.46 because it doesn't contain any IP SANs
What can be the issue?
I also tried to disable ssl validation in config.toml but it is look like I cannot do that in the latest version of gitlab-runner.
I tried hundreds of different options and it is look like I am stuck.
Maybe somebody had simillar problem.
Thank you.
I have the registry v2 container and docker_auth up and running. The registry uses self sign certificate which was created with my CA. I can pull and push images without any problem so the configuration is working properly.
I would like to have a UI for this registry to browse images. I have tried many of them:
https://github.com/kwk/docker-registry-frontend not support token based auth
https://shipyard-project.com only supports v1 registries
https://github.com/SUSE/Portus looks quite heavy weight for me
https://github.com/mkuchin/docker-registry-web i configure it with my keyfile and set the issuer. But i couldn't add my repo, it always returns 401. In the docker registry i found "token intended for another audience: \"mydockerrepo:5000\"". I tried with different names but none of them worked. I check the crt and key files and i use the correct crt-key pair.
Is there any other UI i should try?
Can somebody help me with the "audience" error message?
When upgrading to docker 1.3 the docker client produced the following error:
...
If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry <my registry>` to the daemon's arguments.
...
This registry is behind our company's firewall, so I do not wish to add any security. Is there a way to remove this error at the registry server? What is the simplest way to do this? Is it enabling https or is there a simpler trick?
I do not want to update the config for all the registry clients
You have to use https if you want to to avoid this warning. Also you need a certificate signed by a known CA. Docker is trying to force security by this.
The other possibility is to use --insecure-registry when using the client.