I have a private docker registry set up and running. It is configured with a self signed SSL certificate and works well.
I have managed to docker login from a remote machine, but first I had to copy the root ca to the client (ubuntu 18.04 LTS) and update the ca-certificates
cp ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
This works and I can log in no problems.
Now I have another client I want to access this private docker repository. It is a Jenkins server running in docker on another box. I have copied the ca.crt to this box also and followed the steps above. Even after restarting the docker container I still cannot log into docker.
Error response from daemon: Get https://192.168.1.5/v2/: x509: certificate signed by unknown authority
I am absolutely confused as I follow the steps on one Ubuntu box (18.04 LTS) and it works like a charm. But on the JENKINS container (Ubuntu Xenial 16.04) it gives this error.
What else can I check?
Well, for me i followed the official documentation about setting up Jenkins within a docker container: https://www.jenkins.io/doc/book/installing/docker/#setup-wizard, and when I wanted to push my images built using Jenkins to my private registry (Harbor registry) I face this problem of a self-signed certificate.
My environment is as follow:
I've docker engine installed on my VM (RHEL8)
I've defined a docker-compose file that contains 2 services:
docker-dind: In order to execute Docker commands inside Jenkins nodes, this one is going to be built based on a Dockerfile like bellow:
Example of docker-dind Dockerfile:
FROM docker:dind
# Providing Harbor's and our CA's (our private registry) certs to Docker that is linked to Jenkins (docker:dind)
RUN mkdir -p /etc/docker/certs.d/my.private.registry
COPY certs/ /etc/docker/certs.d/my.private.registry
PS: your certs/ folder should contain:
├── my.private.registry.cert <-- yor Registry cert signed by your CA
├── my.private.registry.key <-- your Registry key signed by your CA
└── myRootCA.crt <-- Certificate authority that signed the registry certificate
jenkins-blueocean: the Jenkins docker container, this one also is based on a Dockerfile as it's mention in the documentation, I've made few changes so that Jenkins instance will trust all the certs issued by my self-signed CA's (in your Dockerfile, add the following lines):
Example of jenkins-blueocean Dockerfile
# Copying our self-signed CA's certs so Jenkins-OS, Jenkins-JVM, and Jenkins-git will use it in the chain of trust
COPY certs/myRootCA.crt /usr/local/share/ca-certificates
# importing your CA-cert to Java keystore
RUN keytool -import -noprompt -trustcacerts -alias myRootCA -file /usr/local/share/ca-certificates/urRootCA.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
# update your system cert-store
RUN update-ca-certificates
# config jenkins git to use your system store as a trusted one
RUN git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
now, run:
docker-compose up -d --build
it should fix the problem.
for more details about running Jenkins in docker container check this
https://www.jenkins.io/doc/book/installing/docker/#setup-wizard
for more details about integrating your private registry so it can be used by docker, check this (Harbor Registry)
https://goharbor.io/docs/2.1.0/install-config/configure-https/
Related
When building a Docker image based on an image in a private repo using a TLS certificate signed with a self-signed CA, everything works fine if that CA is already in the macOS Keychain or in the Windows Trusted Certificate Store – as long as you build using docker build.
However, when using docker buildx build the CA is not found and the build fails with a certificate error.
Consider this Dockerfile:
FROM dockerhub.my.private.mirror.org/oraclelinux:8.6
With docker build it works fine:
% docker build .
...
=> CACHED [1/1] FROM dockerhub.my.private.mirror.org/oraclelinux:8.6
...
However, using docker buildx build it fails:
% docker buildx build --load .
...
=> ERROR [internal] load metadata for dockerhub.my.private.mirror.org/oraclelinux:8.6
------
> [internal] load metadata for dockerhub.my.private.mirror.org/oraclelinux:8.6:
------
Dockerfile:1
--------------------
1 | >>> FROM dockerhub.my.private.mirror.org/oraclelinux:8.6
2 |
--------------------
error: failed to solve: dockerhub.my.private.mirror.org/oraclelinux:8.6: ↩
failed to do request: Head "https://dockerhub.my.private.mirror.org/v2/oraclelinux/manifests/8.6": ↩
x509: certificate signed by unknown authority
Does anyone know how to configure docker buildx to use the private CA certificate on macOS, Windows and Linux?
My answer is based on this: https://github.com/docker/buildx/blob/master/docs/guides/custom-registry-config.md
Create a buildkitd.toml and configure your private CA certificate:
[registry."your.dockerimagehost.example"]
ca=["/home/downloads/mycacert.pem"]
create a docker builder
docker buildx create --use --config buildkitd.toml
then your build command should work
This answer is for docker desktop environment under windows. I was having the same issue and the solution from #Lektro9 did not work out for me. However I was successful with the answer stated here The following content is based on this.
Add Registry Certificate as CA in BuildX container
BuildX for multiplatform builds runs in an own docker container and you will have to take extra steps to add trust to registries with self-signed certificates. The following steps use the tool update-ca-certificates to get it done.
Access the buildx container by opening a shell:
docker exec -it buildx_buildkit_mybuilder0 /bin/sh
Go to the trusted certificates folder
cd /usr/local/share/ca-certificates/
Copy the registry’s certificate from the source location the container e.g. by scp:
scp <username>#<sourceIP>:/path/to/certificate/of/registry.crt \
./<registrynameandport>.crt
Update the containers trusted CA list now by calling
update-ca-certificates
You can ignore the following warning, you might get
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
Restart the builder container for the changes to take effect.
docker build buildx should work just fine now.
If unsure, you can verify if the process was successful by controlling the content of /etc/ssl/certs inside the buildx container. It should now contain an entry named ca-cert-<registrynameandport>.pem and it should also be listed in the ca-certificates.crt file.
I have been working at setting up a docker notary on a Centos 8 machine. I followed the README.md for the notary project which tells me to use the testing certificate the project
comes with by moving it to the .notary folder in my home directory. My hope here is that when my docker client is setup for it and when I properly tag the image a docker push to my private docker repo (jFrog Artifactory) would result in a published image that is signed by the notary.
My private repo is running on its own machine and not on the machine where the notary server is running.
But every time I go for the push I get this error:
Signing and pushing trust metadata
Error: error contacting notary server: x509: certificate signed by unknown authority
One of the ways I tried to fix this is by copying over the test certificates from fixtures/root-ca.crt to /etc/pki/ca-trust/source/anchors/ after which I ran update-ca-trust.
$ sudo cp fixtures/root-ca.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust
But doing this also didn't help. Why is the notary server throwing this error? Help to resolve this would be greatly appreciated.
With docker content trust, you can add the CA to the user's home directory in a subdirectory under ~/.docker/tls:
mkdir -p ~/.docker/tls/${content_trust_hostname}
cp ca.pem ~/.docker/tls/${content_trust_hostname}/ca.crt
export DOCKER_CONTENT_TRUST=1
docker push ${content_trust_hostname}/${your_repo}:${tag}
Note that the certificate likely needs to end with "crt" and if you don't override the content trust server, the hostname will match the registry name.
I haven’t had issues working on Azure container registry.
Working on Jfrog registry, I had same error
Your work around helped me
“
$ sudo cp fixtures/root-ca.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust
“
If it helps I can post my steps
Thanks #RijoSimon
notary server: x509: certificate is valid for 127.0.0.1, not xx.xx.xx.xx(notaryIP)
This error is because the certificate that delivered with notary server is only valid for notary-server, notaryserver, localhost. To make it work with your remote domain, you have to get a CA that work for your ip/domain.
Rijo my solution is not complete because This doesn’t work on remote server, facing an error
Error: error contacting notary server: x509: certificate is valid for 127.0.0.1, not xx.xx.xx.xx(notaryIP)
Here is my solution where was able to sign image locally on the notary server and push it
Docker login artifactoryurl
username:
password:
Login successful
docker trust key generate keyname
export DOCKER_CONTENT_TRUST=0
docker build -f Dockerfile -t artrifactoryurl/reponame:tag .
export DOCKER_CONTENT_TRUST_SERVER=http://127.0.0.1:4443
export DOCKER_CONTENT_TRUST=1
docker trust signer add —key keyname.pub name artifactoryurl/repo
docker trust sign artifactoryurl/reponame:tag
docker inspect artifactoryurl/reponame:tag
Hope it helps 😊
In ubuntu 18.04 VM
I am behind a proxy, I've set up docker configuration with the same proxy.
I created an azure container registry and when trying to docker pull from the registry it works.
But when trying to:
$docker run node:6
I get the error:
"docker: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority."
I've added the registry to /etc/docker/daemon.json:
{
"insecure-registries": ["registry-1.docker.io","myazureContainerRegistry.azurecr.io"]
}
By doing the above step, "$docker run myazureContainerRegistry.azurecr.io/myimage:tag" works but "$docker run node:6" still gives the certificate error.
I've added the certificate for "*.docker.io" to /etc/docker/certs.d/docker.io and also to /usr/local/share/ca-certificate (sudo apt update-ca-certificates), still it doesn't work.
I've also tried to:
$curl -k https://registry-1.docker.io/
$wget https://registry-1.docker.io/ --no-check-certificate
Both of these steps work but with docker (to run/pull node:6 ) I still get the certificate error.
The output of "$docker --version" is: "Docker version 18.09.2"
This is how my ~/.docker/config.json looks like:
config.json
I expect "docker run node:6" to pull the image successfully but it actually gives the error
For your issue, first of all, you need to have the certificate in the ~/.docker/config.json. Then you can pull the image from the registry without login. Then you can execute the command without pulling the image before. for you, the command like this:
docker run registry-1.docker.io/node:6
In my side, the config.json will like this:
And I can execute the command like this:
The URI of registry in the docker hub is https://index.docker.io/v1/charlesjunqiang.
Update
If you use the certificate file to authenticate the Docker registry. Then you should do some steps to authenticate the Docker registry in the client machine.
One:
Add the certificate file in the directory /usr/local/share/ca-certificates/docker-dev-cert/ with the name yourname.crt. Then execute the commands:
sudo update-ca-certificates
sudo service docker restart
Secord:
Create a directory in the directory /etc/docker/certs.d with the same name as the registry, for example, myregistry.azurecr.io. Then add the certificate file in it with the name yourname.cert. Also, you should add the file as .key that automatic created when you create the certificate file.
Then you can log in the registry and run the command docker run registry-1.docker.io/node:6 as you want.
There are screenshots of the result in my side.
docker-app is an experimental tool and I would like to use it with my self-hosted docker registry, not the centralized Docker Hub. Seemingly it's supported and based on the error message it tries to connect to my registry server but it fails with this:
Error: Get https://domain.tld:port/v2/: x509: certificate signed by unknown authority
How could I push docker app packages to my registry via HTTPS keeping the same certificate?
I just found the way:
cp /path/of/cert/ca.crt /usr/local/share/ca-certificates/sub.domain.tld.crt
(substitute the correct path and (sub)domain name)
then:
update-ca-certificates
This solution works on Ubuntu 18.04, after this the docker-app push works as intended.
Please note that copying the ca.crt to docker's /etc/docker/certs.d directory in a way that suits docker login does not work for docker-app.
I'm trying to push docker images to artifactory as part of a CI jenkins job.
I have an Artifactory installed with url art:8080
I installed Docker on Win2016 and built my dockerfile.
Now I stuck in how to push the output image of the dockerfile.
I tried:
<!-- language: lang-none -->
docker tag microsoft/windowsservercore art:8080/imageID:latest
docker push art:8080/docker-local:latest
but I get an error stating:
Get https://art:8080/v2/: dial tcp: lookup artifactory: getaddrinfow: No such host is known.
Where is the https getting from?
How do I push to the correct local docker repo in my artifactory?
Docker requires you to use https. What I do (I use Nexus not Artifactory) is setup a reverse proxy using nginx. Here is the doc for that - https://www.jfrog.com/confluence/display/RTF/Configuring+a+Reverse+Proxy
Alternatively, you can set Docker to not require https (though not recommended)
Since you're asking how to pull, these steps worked for an enterprise artifactory where Certificate CA are not trusted outside the organization
$ sudo mkdir -p /etc/docker/certs.d/docker-<artifactory-resolverhost>
$ sudo cp /tmp/ca.crt /etc/docker/certs.d/docker-<artifactory-resolverhost>
$ sudo chown root:docker /etc/docker/certs.d/docker-<artifactory-resolverhost>/ca.crt
$ sudo chmod 740 /etc/docker/certs.d/docker-<artifactory-resolverhost>/ca.crt
Where ca.crt is the base-64 chain of CA trusted certificates and is the resolver hostname of the repository. For ex. repo.jfrog.org if you were using the public repository. To confirm you can do a ping against "artifactory-resolverhost" to make sure is reachable from your network
Then you should be able to pull an image with your user belonging to docker group for ex.
docker pull docker-<artifactory-resolverhost>/<repository-name>/rhel7-tomcat:8.0.18_4
You can then view the downloaded image with below command
docker images