Configure docker repo with https without domain name - docker

I have a website that I'm running on a digital ocean droplet, which I want to continuously deploy via docker and a Teamcity build server which I have running on my home server. I want to enable https on my docker repo, with a self signed certificate, and without a domain name.
Let's say my home's ip address is 10.10.10.10 and the docker repo is running on port 5000.
I followed the steps here, however docker on my website complained that it cannot connect to the docker repo on my homeserver because it doesn't specify an IP in the SAN extension.
Okay. So I created a new certificate without the CN field and only an IP in the SAN, and now my cert config on my website looks like...
/etc/docker/certs.d/10.10.10.10:5000/ca.crt
I also added the cert to my general certs (Ubuntu 16.04 btw)
Then I try to pull the image from my home server to my website...
docker pull 10.10.10.10:5000/personal_site:latest
However, I'm getting this error.
Error response from daemon: Get https://10.10.10.10:5000/v1/_ping: x509:
certificate signed by unknown authority (possibly because of "x509:
invalid signature: parent certificate cannot sign this kind of
certificate" while trying to verify candidate authority certificate "serial:xxx")
I thought by adding my cert to the /etc/docker/... it would accept a self-signed cert. Anyone have any advice here?

You can't used a self signed certificate for this, it needs to be a CA certificate. Follow the same steps required to create a certificate for a docker host and store your CA in /etc/docker/certs.d/.... Or you can also define 10.10.10.10 as an insecure registry as part of the docker daemon startup (dockerd --insecure-registry 10.10.10.10:5000 ...) and docker should ignore any certificate issues.

I just did the same thing with this instructions create private repo with password without domain and ssl. That will require you to add certificate on client and domain on host file (if you love to have an domain yourself without registering new domain)

Related

Strategy for SSL Certificate for Docker

I'm on a corporate intranet. The container host is a Windows server and the container will be deployed in a Nano Server. I have an ASP.NET Core site that's using Kestrel.
I'm able to get a self-signed cert successfully installed via a volume but our browsers throw up a cert validation error. The issue of getting a valid cert installed is that the container site is only viewable via an IP address and I'm aware you can't tie a non-self-signed cert to an IP. Being this is intranet, the IP address is obviously not public. Would a corporate-level cert work for a container host that's a member server?
Any ideas are appreciated.

ubuntu: docker run hello-world returns an error "x509: certificate signed by unknown authority"

After following the installation instructions to install docker provided in the official page I ran into the following error when I tried to run
docker: error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/fc/fce289e99eb9bca977dae136fbe2a82b6b7d4c372474c9235adc1741675f587e/data?verify=1549989486-DEdrDDaoZskZzHXF84y4VY%2FxRpw%3D: x509: certificate signed by unknown authority
I am not finding information about solving this issue. Please note I am behind corporate proxy.
I have set the proxy in the file
/etc/systemd/system/docker.service.d/http-proxy.conf
with the following content
[Service]
Environment="HTTP_PROXY=http://proxyurl:8080/" "HTTPS_PROXY=http://proxyurl:8080/"
First, are you sure, your HTTPS_PROXY=http://proxyurl:8080/ ? Check that port is configured properly, it is more likely to be 443.
Second, your proxy can work in man-in-the-middle mode, that means it establishes two separate connections: with you and with targeted server, deciphering and enciphering all traffic. In this case it signs the data it sends to you with it's own ssl certificate and you have to obtain this one and add to your trusted ones in the system.
It seems that the image you are trying to pull is stored within a private registry. Have you logged to that registry?
Meanwhile, try to pull a hello-world image to check that proxy is not blocking outgoing connections from your Docker host.

Docker for Windows not using client certificates

I'm having issue with connecting to private Docker registry.
Setup:
Windows10 (using HyperV)
Docker for Windows version: 18.03.0-ce
Steps I did:
Placed client certificates in C:/ProgramData/Docker/certs.d/<private_registry_url>/
Placed client certificates in C:/Users//.docker/certs.d/<private_registry_url>/
Root certificate imported in Windows "Trusted Root Certification Authorities" (otherwise I'm getting "X509: certificate signed by unknown authority")
Result: Executing docker login <private_registry_url> and inserting correct credentials gives me:
Error response from daemon: Get https://<private_registry_url>/v2/: remote error: tls: bad certificate
which means that Docker is not sending correct client certificates. (When I execute curl -client <file.cert> -key <file.key> https://<private_registry_url>/v2/ with client certificates I'm able to connect.
When I connect to running HyperV machine there is missing /etc/docker/certs.d/ folder. If I manually create /etc/docker/certs.d/<private_registry_url> and put my client certificates inside, everything starts to work! But after restarting Docker for Windows, folder certs.d in HyperV machine is missing and I'm not able to connect to private registry again.
Any ideas what am I doing wrong?

Running Docker behind proxy

I have install docker on a windows 7 machine, if I connect to Internet outside my company network everything works fine, but when I connect to Internet from my company network, and try to pull a image from dockerhub, I just get the "docker: Network timed out while trying to connect to .... You may want to check your internet connection or if you are behind a proxy..".
I have edited the /var/lib/boot2docker/profile file by adding following two lines
export "HTTP_PROXY=http://me:mypassword#proxyhost:proxyport"
export "HTTPS_PROXY=http://me:mypassword#proxyhost:proxyport"
rebooted the docker machine and try to pull an image and get the following error;
Error while pulling image: Get https://index.docker.io/v1/repositories/library/ubuntu/images: x509: certificate signed by unknown authority
edit: CA certification details
The problem is your corporate proxy is using it's own SSL certificate which Docker doesn't trust. What you're going to have to do is to download a copy of the CA certificate and trust it on any machines you want to use behind the firewall. Check this answer for how to trust a certificate:
Docker behind proxy that changes ssl certificate

docker client can't read from both "docker private registry" and "online docker registry" if custom ssl certificate are used

Docker version 1.2.0, build 2a2f26c/1.2.0,
docker registry 0.8.1
i setup docker private registry on cenots7 and created my custom ssl cert. when I try to access my docker registry using https I get x509: certificate signed by unknown authority. i found a solution for this by placing the cert file under "/etc/pki/tls/certs" then do
"update-ca-trust"
"service docker restart"
now it started to read my certificate.i can login and pull and push to docker private registry
"https://localdockerregistry".
now when i tries to read from online docker registry(https://index.docker.io/v1/search?q=centos) like
"docker search centos"
i get
"Error response from daemon: Get https://index.docker.io/v1/search?q=centos: x509: certificate signed by unknown authority"
i exported docker.io cert from firefox brower and put it under "/etc/pki/tls/certs" then do "update-ca-trust" and "service docker restart" but same error. it looks like docker client cant decide which cert to use for which repository.
Any ideas how we can fix "x509: certificate signed by unknown authority" for online docker registry while using your own docker private registry.
The correct place to put the certificate is on the machine running your docker daemon (not the client) in this location: /etc/docker/certs.d/my.registry.com:5000/ca.crt where my.registry.com:5000 is the address of your private registry and :5000 is the port where your registry is reachable. If the path /etc/docker/certs.d/ does not exist, you should create it -- that is where the Docker daemon will look by default.
This way you can have a private certificate per private registry and not affect the public registry.
This is per the docs on http://docs.docker.com/reference/api/registry_api/
I had the problem with a docker registry running in a container behind a Nginx proxy with a StartSSL certificate.
In that case you have to append the intermediate ca certs to the nginx ssl certificate, see https://stackoverflow.com/a/25006442/1130611

Resources