I am running gitlab and gitlab-runner in the 2 docker containters.
I create self-signed certificates for gitlab following this manual http://clusterfrak.com/sysops/linux/linux_self_signed_certificate/
I can access gitlab from the browser https://my_ip
But when I am trying to register gitlab-runner but I am getting error:
x509: cannot validate certificate for 192.168.1.46 because it doesn't contain any IP SANs
What can be the issue?
I also tried to disable ssl validation in config.toml but it is look like I cannot do that in the latest version of gitlab-runner.
I tried hundreds of different options and it is look like I am stuck.
Maybe somebody had simillar problem.
Thank you.
Related
I'm trying to use cosign to sign container images in a local docker registry. However, when I try I keep getting the error remote error: tls: bad certificate. I'm fairly sure this is because cosign doesn't know where to find the cert files for the registry - I can push and pull from the registry just fine, and I've verified the cert chain using openssl. However, I've looked through the Github documentation and the --help info for cosign, and I can't see how to tell it which certs to use. There are the --cert and --cert-chain options, which I have tried, but as far as I can tell those basically include the certs as part of the signature rather than using them to connect to the server. Any help is appreciated!
After creating a private docker registry on one of my machines, I try to push an image to it but it throws the error: Get "https://host.domain/v2/": x509: certificate signed by unknown authority
The registry was created according to the official docker documentation. If I request the same url within safari or chrome, the request gets resolved successfully, showing that the certificate is valid.
So I'm wondering: what does docker do differently that it can't validate my certificate?
Many thanks in advice!
Solved the issue: it seems that if your certificate issuer provides an intermediate certificate EXPLICITLY, it's required to chain the domain.crt and intermediate.crt by running cat domain.cry intermediate.crt > concat-domain.crt (for example).
Instruction coming from official docker documentation.
I was trying to install Harbor: Private Docker Registry with Paid SSL from Sectigo(Comodo).
But when I install, I can see it was successful in web page, but not in docker login.
When I tried to docker login ~~~, then it says Error response from daemon: Get https://docker.siadev.kr/v2/: x509: certificate signed by unknown authority
What I received from SSL provider are these.
{domain}.crt, {domain}.key, AAACertificateServices.crt, AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt, SectigoRSAAddTrustCA.crt, SectigoRSADomainValidationSecureServerCA.crt, rsa-dv.chain-bundle.pem
And docker says it supports ca.crt, {domain}.cert, {domain}.key.
What crt files do I have to concat?
I placed those like,
/etc/docker/certs.d/{domain}/{domain}.cert
/etc/docker/certs.d/{domain}/{domain}.key
/etc/docker/certs.d/{domain}/ca.crt
.
If I try to login with ip or another domain, then it says Error response from daemon: Get https://{domain}/v2/: x509: certificate is valid for {domain}, not {fake_domain}.
So I assume that they are in the right place, and the problem is from wrong combine of ca.crt.
I'm not sure it's going to solve your problem but I think you should put your certificate in
/etc/docker/certs.d/$MY_REGISTR_DOMAIN:REGISTR_PORT/
folder. That's where I placed mine (they are self signed) and it works.
I'm new in docker and I testing some stuffs. I had installed a UCP to upload my images but when I wanted login to UCP with CLI showed this error:
Error response from daemon: Get https://x.x.x.x/v1/users/: x509:
certificate signed by unknown authority
I searched this error and I found many responses (many differents responses) after that, I finished to install the DTR and I could login without a problem.
My questions is:
After I had installed just the UCP I tried connect to this, the error showed. So, Is necessary have installed DTR to correctly connect?, or, Could it be another problem?
Thanks for your help!
" I had installed a UCP to upload my images". What does this mean? The DTR should be part of your UCP Swarm and that is where you push your images to.
So if you are getting this error when trying to push your image to one of the repository in DTR, then try the below steps(assuming your worker nodes are window 2016 servers).
Create certificate in DTR node
Copy the certificate to the docker node or which ever machine from which you are trying to push the image
Open MMC
Add certificates (use Computer account)
Open Trusted Root Certification Authorities
Click More action on the right and click import
Upload the copied certificate and finish
Try "docker login" command with your DTR url and make sure you able to login without an issue
When upgrading to docker 1.3 the docker client produced the following error:
...
If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry <my registry>` to the daemon's arguments.
...
This registry is behind our company's firewall, so I do not wish to add any security. Is there a way to remove this error at the registry server? What is the simplest way to do this? Is it enabling https or is there a simpler trick?
I do not want to update the config for all the registry clients
You have to use https if you want to to avoid this warning. Also you need a certificate signed by a known CA. Docker is trying to force security by this.
The other possibility is to use --insecure-registry when using the client.