I use this docker-compose file to create a GitLab installation along with the GitLab Container Registry enabled.
All containers start nicely, but when I try to access the container registry via a new GitLab project, I get a 500 error.
From Kitematic, in the registry container logs I see this
http: TLS handshake error from 192.168.99.1:54873: tls: first record does not look like a TLS handshake
I am not an expert in security, but from my research I think it has to do with the self-signed certificate that GitLab expects.
Is this the problem? How should I proceed?
Related
Does anyone have a running installation of nginx as a reverse proxy, unbound from gitlab where the internal gitlab container registry is running?
I've setup nginx and gitlab in docker containers and I can access gitlab with a suburl e.g. my.domain.com/gitlab/. However when I try to access the container registry for an example project I either end up getting Bad Gateway when using docker login or the container registry shows an error when accessing the site:
Docker connection error We are having trouble connecting to the Container Registry. Please try refreshing the page. If this error persists, please review the troubleshooting documentation .
I've been trying to figure out what settings I need for days and I don't understand what's going wrong, so if anyone can help I'd be really grateful.
I am trying to use Jenkins to build and push docker images to private registry. However, while trying docker login command, I am getting this error:
http: server gave HTTP response to HTTPS client
I know that this might be happening because the private registry is not added as an insecure registry. But, how I can resolve this in CI pipeline?
Jenkins is set up on a Kubernetes cluster and I am trying to automate the deployment of an application on the cluster.
This has nothing to do with the Jenkins CI pipeline or Kubernetes. Jenkins will not be able to push your images until configure follow either of the below steps
You have two options here
1) Configure your docker client to use the secure registry over HTTPS. This will include setting up self signed certificates or getting certificates from your local certificate authority.
2) Second solution is to use your registry over an unencrypted HTTP connection.
So if you are running docker on kubernetes. You will have to configure the daemon.json file in /etc/docker/daemon.json.
PS: This file might not exist. You will have to create it.
Then add in the below content. Make sure you change the url to match your docker registry
{
"insecure-registries" : ["myregistrydomain.com:5000"]
}
Then restart docker using systemctl restart docker or etc/init.d/docker restart depending on the version of linux distro installed on your cluster
Let me know if you have any questions
I'm using CircleCI 2.0 and I have a private docker registry with self-signed certificate. I'm able to configure my local docker, just like documented here, the problem is in CircleCI:
I'm using remote dockers so when I try to login in Docker registry it's failing with Error response from daemon: Get https://docker-registry.mycompany.com/v2/: x509: certificate signed by unknown authority.
Is there a way to install the certificate in a remote docker? I don't have access to the docker host's shell. I don't want to use machine executor type.
It's not possible. It could only be accomplished by using CircleCI's Enterprise level system.
I have my private docker registry running on a remote machine, which is secured by TLS and uses HTTPS. Now I want to access it from my local docker-machine installed on Windows 7. I have copied the certificates to "/etc/docker/certs.d/" in the docker-machine VM and restarted docker.
After this I can successfully login to my private registry using credentials, but when I try to push an image to it, it gives me a certificate signed by unknown authority error. After researching a little I restarted the docker daemon with docker -d --insecure-registry https://<registry-host>, and it worked.
My question is: if I have copied my certificates to the host machine, why do I need to start the registry with the --insecure-registry option?
I can only access the registry from another host with certificates as well as restarting docker with --insecure-registry , which looks a little wrong to me.
Docker version: 1.8.3
Any pointers on this would be really helpful.
certificate signed by unknown authority
The error message gives it away - your certificates are self-signed (as in not trusted by a known CA).
See here.
If you would like to access your registry with HTTP, follow the instructions here
Basically (do this on the machine from which you try to access the registry):
edit the file /etc/default/docker so that there is a line that reads: DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000" (or add that to existing DOCKER_OPTS)
restart your Docker daemon: on ubuntu, this is usually service docker stop && service docker start
Docker version 1.2.0, build 2a2f26c/1.2.0,
docker registry 0.8.1
i setup docker private registry on cenots7 and created my custom ssl cert. when I try to access my docker registry using https I get x509: certificate signed by unknown authority. i found a solution for this by placing the cert file under "/etc/pki/tls/certs" then do
"update-ca-trust"
"service docker restart"
now it started to read my certificate.i can login and pull and push to docker private registry
"https://localdockerregistry".
now when i tries to read from online docker registry(https://index.docker.io/v1/search?q=centos) like
"docker search centos"
i get
"Error response from daemon: Get https://index.docker.io/v1/search?q=centos: x509: certificate signed by unknown authority"
i exported docker.io cert from firefox brower and put it under "/etc/pki/tls/certs" then do "update-ca-trust" and "service docker restart" but same error. it looks like docker client cant decide which cert to use for which repository.
Any ideas how we can fix "x509: certificate signed by unknown authority" for online docker registry while using your own docker private registry.
The correct place to put the certificate is on the machine running your docker daemon (not the client) in this location: /etc/docker/certs.d/my.registry.com:5000/ca.crt where my.registry.com:5000 is the address of your private registry and :5000 is the port where your registry is reachable. If the path /etc/docker/certs.d/ does not exist, you should create it -- that is where the Docker daemon will look by default.
This way you can have a private certificate per private registry and not affect the public registry.
This is per the docs on http://docs.docker.com/reference/api/registry_api/
I had the problem with a docker registry running in a container behind a Nginx proxy with a StartSSL certificate.
In that case you have to append the intermediate ca certs to the nginx ssl certificate, see https://stackoverflow.com/a/25006442/1130611