When using
docker login mycustomwebsite.com
I run into issue
x509: certificate has expired or is not yet valid
So, the certificate on mycustomwebsite.com is actually expired. I'm ok with that since I will update it later and right now I don't have access to it.
How can I tell docker & docker-compose to accept expired certificate?
Additionally, how can I completely disable certificate validation if necessary?
I've search SO for answers, closest was to use "--insecure-registry" but such option does not exist for my version or for versions 1.3.0+ (unless I'm completely confused with how insecure-registry was supposed to work)
ps:
Docker version 18.03.0-ce / Docker-compose version 1.20.1 / windows 7
ps2: didn't find solution that works, had to wait until I was able to renew certificates
Related
We have the following setup:
A Keycloak Server on a VM installed as a docker container.
Server certificate via Lets Encrypt.
Two realms a and b.
Realm b is integrated into Realm a as an identity provider.
To achieve that it works, we had to import the certificate of the Keycloak server into the java trusted store. Now the login works and we can choose in realm a if we want to login with realm b. Unfortunately the process of importing the certificate comes with lots of manual effort (copy the certificate into the container, divide the chain into several files with only one certificate, call a function) and the certificates are just valid for 90 days. Of course we can automate this but the question is, is there an "official way" of doing this? Like mounting the Lets Encrypt certificate folder into the container and "done"? We are using the official jboss/keycloak container image.
The docker container should support this by setting the X509_CA_BUNDLE variable accordingly. See the docs here.
This creates the truststore for you and configures it in Wildfly. Details can be found in this and that script.
I have installed Alfresco 6.2 using docker based installation and it's working fine with http.
Now, I have to run same set-up on https and i have to apply self signed certificate for this.
Can someone please provide the steps to generate this self-signed certificate and how to apply it inside docker image.
Any help will be appreciated.
I already did same thing for Alfresco 5.2 without docker, but here I am quite new to docker and not understanding how to do this.
Instead of changing the tomcat certificate I would recommend to setup SSL on nginx or any other reverse proxy. The Tomcat certificate is also used to authenticate Solr. Configuration errors can easily cause the search to stop working.
When using a reverse proxy don't forget to set your external connection in alfresco-global.properties to avoid problems with the CSRF Token Filter. e.g.:
alfresco.context=alfresco
alfresco.host=alfresco.mycompany.com
alfresco.port=443
alfresco.protocol=https
share.context=share
share.host=${alfresco.host}
share.port=${alfresco.port}
share.protocol=${alfresco.protocol}
I am using docker version 18.09.0, build 4d60db4 in a Windows machine and I am trying to login to Artifactory using the following command,
docker login docker-registery.company.net
It prompts for username and password and I am providing them, however I am not able to login. It gives me the following error:
Error response from daemon: Get https://docker-registery.company.net/v2/: tls: server selected unsupported protocol version 301
Note: I am able to login to the Artifactory Repo Browser through my web browser by using the same username and password.
What is causing this issue when I try to login from the command-line? Is it some kind of proxy or certificate issue?
protocol version 301 = TLS 1.0 - that is insecure TLS version, which has been selected by the server (in theory by Artifactory, but there can be reverse proxy, Tomcat, etc. where TLS can be configured as well).
Configure properly TLS on the server side (enable support for TLS 1.1+) and your docker client will be able to establish a secure TLS connection. "insecure registry" is just insecure workaround.
We have the same issue after some of Windows update
You can manually change the default TLS version in windows by editing register
Change needed values in regedit.exe or store this code as .reg file and execute it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
Hope, it will solve your problem
Try this,
docker login --username=yourUserName --email=abc#company.net dockerregistry.company.net:5000
Obviously, if you are using a port other than 5000 specify it after the colon.
Once you log in, you can do something like
docker push dockerregistry.company.net:5000/ubuntu
or
docker pull dockerregistry.company.net:5000/ubuntu
None of the above answers actually worked for me.
However, I manged to find a fix for it. Keep in mind that, this is not a perfect solution but a work around.
Here it goes...
I added my Artifactory registry as an insecure registry. Here's how to do it: https://docs.docker.com/registry/insecure/
Therefore, by passing the TLS handshake.
I have a Mac mini configured as the remotebuild server. Remote building my cordova app to the Mac was working ok in secure mode for a while but I was suddenly greeted with a Error: self signed certificate in certificate chain.
I've followed several suggestions of running the commands,
remotebuild certificates reset
remotebuild certificates generate
then updating the pin accordingly in Visual Studio to no avail. I can build successfully when running in non-secure mode.
remotebuild --secure-mode false
I've also tried cleaning my solution in VS2015, nuking the certs folder on the Mac and re-installing remotebuild. It may be worth noting that something in the build process was constantly corrupting the remote_ios.json file so I was having to keep removing that file to build every other time as explained here.
Any ideas on how to get around this error or why it would suddenly be a point of failure?
This "self signed certificate in certificate chain" error can happen if remotebuild generates a certificate under one identity (hostname / ip address) and is accessed via another one. The client will look at the certificate and find that it doesn't match what it expected, and so it does not trust the server. My guess is that it began failing for you due to a change in your network architecture.
If you know the identity that other machines will attempt to use, for example if they will use some.buildserver.local, then you can instruct remotebuild to generate a certificate using that identity via remotebuild --hostname="some.buildserver.local" --secure=true saveconfig && remotebuild certificates reset && remotebuild certificates generate.
Once you have created new certificates that should match client expectations, if you reconfigure them then they should accept the server's certificate.
Also apart from those I did restart my client computer as well.
I have a driver which is signed using the steps in this link:
http://technet.microsoft.com/en-us/library/dd919238(v=ws.10).aspx
When i try to install this driver on Windows 8.1 it fails. The driver can install on all other Operating Systems.
When i restart the computer and disables driver signature enforcement and start the driver install then a message appears saying that the publisher of the driver is unkown and asks me if i want continue the install or not. If u choose to install then the driver is installed on Windows 8.1. So the problem must be something with the driver signature i guess.
Taken from the link: "The driver is marked as "Not Trusted" because Windows cannot validate the certificate against any of the trusted certificates in the per computer Trusted Root Certification Authorities store".
As this driver is meant to run on customer machines this problem is really annoying.
So:
Will this problem be solved if i make the driver marked as "Trusted" - and how do I do that?
Or does someone know an easier workaround for this problem?
You should try using /tr instead of /t because I have experienced trouble with the /tr option as described in my article, Practical Windows Code and Driver Signing.
What exactly do you mean by "it fails"? What error message do you get, or what unexpected behavior? Could you post the .CAT file here so we can look at your signature? Does your certificate your SHA1 or SHA2? What about the CAT file and the signature of the CAT file?
You could consider buying a certificate instead of making one yourself. Then you wouldn't have to worry about putting your certificate in the Trusted Root Certification Authorities list and the Trusted Publishers list on all of your customers' computers.