When I try to deploy something with docker registry I every time view errors:
x509: cannot validate certificate for 10.2.10.7 because it doesn't contain any IP SANs
Question:
How I can disable ssl from deploy image in docker registry to Kubernetes ?
Assuming relaxed security is OK for your environment, a way to accomplish in Kubernetes what you want is to configure Docker to connect to the private registry as an insecure registry.
Per the doc here:
With insecure registries enabled, Docker goes through the following
steps:
First, try using HTTPS. If HTTPS is available but the certificate is invalid, ignore the error about the certificate.
If HTTPS is not available, fall back to HTTP.
Notice that the change to /etc/docker/daemon.json described in that doc - adding "insecure-registries" configuration - has to be applied to all nodes in the Kubernetes cluster on which pods/containers can be scheduled to run. Plus, Docker has to be restarted for the change to take effect.
It is also to note that the above assumes the cluster uses the Docker container runtime and not some other runtime (e.g. CRI-O) that supports the Docker image format and registry.
As you're using self signed TLS certificate, you need to add the certificate to the known certificates list.
Grab you .crt file and cope it to the client machine's ssl certificates directory.
For ubuntu:
$ sudo cp registry.crt /usr/local/share/ca-certificates/registry.crt
$ sudo update-ca-certificates
Now restart docker:
$ sudo systemctl restart docker
For CentOS 7:
copy the certificate inside /etc/pki/ca-trust/source/anchors/
Use update-ca-trust command
My problem was with certificates because I used self-signed TLS certificates. It is not good idea. You might encounter with known certificates list and you will need to add certificates each time and use command update-ca-certificates (if you are using Centos 7). However, you might encounter another issue with certificates with another error code.
To resolve this issue i've used 3rd party Certificate Authority called Let'sEncrypt.
Related
I am trying to setup a Docker registry server in Kubernetes with Minio as the storage backend, where Minio used self-signed certificate for TLS. I am pushing my images from a client docker instance connected to a Docker-in-Docker container.
(client -> d-in-d -> registry -> minio)
When I try to initiate a push, the registry registers an x509: : certificate signed by unknown authority error.
I tried:
Put the CA bundle (the standard Kubernetes CA bundle) used by Minio into every container (registry, d-in-d, and client), run update-ca-certificates.
Concatenate the CA bundle with the registry's certificate and put the file in etc/docker/certs.d/REGISTRY_DOMAIN/. (https://github.com/distribution/distribution/issues/426)
Set the environment variable AWS_CA_BUNDLE in the registry deployment. This, in my opinion, would fix the issue, but the AWS SDK does not allow to override settings after creating a session. The next step would be to modify the registry source to load this env var.
None of these attempts worked. Is there something I'm overlooking?
I recently made an update to SSL certificate on the domain hosting my docker private repository. Now I am not able to login to it on my linux server. I get the following error
x509: certificate signed by unknown authority
I was encountering same problem on local windows machine, however restarting docker seemed to work. I have now many times tried to do the same on the linux server but restarting docker is not working. The error is persistent.
Does docker caches previous login information ? (like SSL certificate key etc.)
How can I flush (clear cache) and force docker to make a fresh login request?
I used letsencrypt to generate a certificate.
Thanks
A quick solution:
Edit or create the file /etc/docker/daemon.json and add insecure-registries :
example for docker.example.org:
{
"insecure-registries" : ["docker.example.org:443"]
}
Restart docker daemon
systemctl restart docker
Above answer1 is correct. Use insecure-registries flag to avoid x509: certificate signed by unknown authority Or Add ca.crts in docker.
docker-app is an experimental tool and I would like to use it with my self-hosted docker registry, not the centralized Docker Hub. Seemingly it's supported and based on the error message it tries to connect to my registry server but it fails with this:
Error: Get https://domain.tld:port/v2/: x509: certificate signed by unknown authority
How could I push docker app packages to my registry via HTTPS keeping the same certificate?
I just found the way:
cp /path/of/cert/ca.crt /usr/local/share/ca-certificates/sub.domain.tld.crt
(substitute the correct path and (sub)domain name)
then:
update-ca-certificates
This solution works on Ubuntu 18.04, after this the docker-app push works as intended.
Please note that copying the ca.crt to docker's /etc/docker/certs.d directory in a way that suits docker login does not work for docker-app.
I am attempting to use Minikube for local kubernetes development. I have set up my docker environment to use the docker daemon running in the provided Minikube VM (boot2docker) as suggested:
eval $(minikube docker-env)
It sets up these environment variables:
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://192.168.99.100:2376"
export DOCKER_CERT_PATH="/home/jasonwhite/.minikube/certs"
When I attempt to pull an image from our private docker repository:
docker pull oururl.com:5000/myimage:v1
I get this error:
Error response from daemon: Get https://oururl.com:5000/v1/_ping: x509: certificate signed by unknown authority
It appears I need to add a trusted ca root certificate somehow, but have been unsuccessful so far in my attempts.
I can hit the repository fine with curl using our ca root cert:
curl --cacert /etc/ssl/ca/ca.pem https://oururl.com:5000/v1/_ping
I've been unable to find anyway to get the cert into the minikube vm. But, minikube has a command line parameter to pass in an insecure-registry.
minikube start --insecure-registry=<HOST>:5000
Then to configure authentication on the registry, create a secret.
kubectl create secret docker-registry tp-registry --docker-server=<REGISTRY>:5000 --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL> --insecure-skip-tls-verify=true
Add secret to the default service account as described in the kubernetes docs.
I came up with a work-around for the situation with suggestions from these sources:
https://github.com/docker/machine/issues/1799
https://github.com/docker/machine/issues/1872
I logged into the Minikube VM (minikube ssh), and edited the /usr/local/etc/ssl/certs/ca-certificates.crt file by appending my own ca cert.
I then restarted the docker daemon while still within the VM: sudo /etc/init.d/docker restart
This is not very elegant in that if I restart the Minikube VM, I need to repeat these manual steps each time.
As an alternative, I also attempted to set the --insecure-registry myurl.com:5000 option in the DOCKER_OPTS environment variable (restarted docker), but this didn't work for me.
An addon was recently added to Minikube that makes access to private container registries much easier:
minikube addons configure registry-creds
minikube addons enable registry-creds
For an http registry this steps works for me:
1) minikube ssh
2) edit /var/lib/boot2docker/profile and add to $EXTRA_ARGS --insecure-registry yourdomain.com:5000
3) restart the docker daemon sudo /etc/init.d/docker restart
The Kubernetes documentation on this is pretty good.
Depending on where your private docker repository is hosted, the solution will look a bit different. The documentation explains how to handle each type of repository.
If you want an automated approach to handle this authentication, you will want to use a Kubernetes secret and specify the imagePullSecrets for your Pod.
Sounds like your question has more to do with Docker than Kubernetes. The Docker CLI supports a number of TLS-related options. Since you already have the CA cert, something like this should work:
docker --tlsverify --tlscacert=/etc/ssl/ca/ca.pem pull oururl.com:5000/myimage:v1
You need to edit /etc/default/docker to look like so:
# Docker Upstart and SysVinit configuration file
#
# THIS FILE DOES NOT APPLY TO SYSTEMD
#
# Please see the documentation for "systemd drop-ins":
# https://docs.docker.com/engine/admin/systemd/
#
# Customize location of Docker binary (especially for development testing).
#DOCKERD="/usr/local/bin/dockerd"
# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="--insecure-registry oururl.com:5000"
# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"
# This is also a handy place to tweak where Docker's temporary files go.
#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"
Make sure to sudo service docker stop and sudo docker start to apply the changes. You should then be able to push/pull to your registry.
login account minikube
vi ~/.minikube/machines/<PROFILE_NAME>/config.json (in my case vi ~/.minikube/machines/minikube/config.json)
add private repo on InsecureRegistry attribute (json path: HostOptions.EngineOptions.InsecureRegistry)
minikube start again
I upgraded my Mac (OS X) from an older Docker installation to Docker Toolbox, meaning that I'm now working with Docker Machine, and in the process discovered that certs I had working for push/pull with a private registry are not there, and I can't for the life of me figure out how to get them in place. At the moment when I try a test pull I get the dreaded x509: certificate signed by unknown authority error. I've searched around, looked at issues in Github, but nothing has worked for me. I even tried ssh'ing into the machine VM and manually copying them into /etc/ssl/certs, and various other things, with no luck. And I certainly don't want to get into the "insecure-registry" stuff. This used to work with boot2docker prior to moving to docker-machine.
This seems like a very simple question: I have a couple of .crt files that I need put in the right place so that I can do a push/pull. How does one do this? And secondarily, how can this not be documented anywhere? Can we wish for a docker-machine add-cert command someday?
Thanks for any help, and I hope a good answer here can stick around to assist others who run into this.
Okay so let's imagine I have a registry running at the address: 192.168.188.190:5000 and I have a proper certificate for this address.
I would now run the following commands to install the root certificate into my machine:
docker-machine scp ./dockerCA.crt $MACHINE_NAME:dockerCA.crt
docker-machine ssh $MACHINE_NAME sudo mkdir -p /etc/docker/certs.d/192.168.188.190:5000
docker-machine ssh $MACHINE_NAME sudo mv dockerCA.crt /etc/docker/certs.d/192.168.188.190:5000/dockerCA.crt
Set the variable MACHINE_NAME to whatever the name of your machine is. The machine will now trust your root certificate.
Having the same issue I read the Documentation in Docker on how to add a certificate to my computer.
As you mentioned that you are on a updated Mac OS X, proceed by doing the following:
Copy the cert file from your docker registry to your hard drive, e.g.
scp user#docker.reg.ip:/path/to/crt/domain.crt /tmp/domain.crt
Add the certificate to your trusted certificates using the following command
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain /tmp/domain.crt
Restart your local docker handler and now you should be able to upload your local Docker images to the Docker registry.
If you are running on any other operating systems please check this site on how to add trusted root certificates.