1. 技术文章
  2. Docker private registry using selfsigned certificates

Docker private registry using selfsigned certificates

徘徊边缘 提交于 2019-12-06 05:56:12

问题


I want to run a private docker registry which is widely available. So I will be able to push and pull images from other servers.

I'm following this tutorials: doc1 & doc2

I performed 3 steps: First I've created my certificate and key (as CNAME I filled in my ec2-hostname)

mkdir -p certs && openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt

Than I've created my docker registry, using this key.

docker run -d -p 5000:5000 --restart=always --name registry \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

Than I copied the content of domain.crt to /etc/docker/certs.d/ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/ca.crt I restarted my docker: sudo service docker restart When I try to push an image I get the following error:

unable to ping registry endpoint https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v0/
v2 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v2/: net/http: TLS handshake timeout
 v1 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v1/_ping: net/http: TLS handshake timeout

I really don't know what I'm missing or doing wrong. Can someone please help me. Thanks


回答1:


I'm not sure if you copy/pasted your pwd directly... but the file path should be /etc/docker/certs.d

You currently have etc/docker/cert.d/registry.ip:5000/domain.crt




回答2:


The error message says "TLS handshake timeout". This indicates that either no process is listening on port 5000 (check using netstat) or the port is closed from the location where you are trying to push the image (open port in the AWS security group).




回答3:


From what I've seen docker login is way more sensitive to properly crafted self-signed certs than browsers are + there's an interesting gotcha I'll point out at the very bottom, so read the whole thing.

According to this site: https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

Bash# openssl x509 -noout -text -in ca.crt
X509v3 Basic Constraints: critical
CA:TRUE

^You should see something like this is you provisioned your certs right.

While following random how-to guides on the net I was able to generate ca.crt and website.crt
When I ran the above command I didn't see that output, but I noticed:
If I imported the cert as trusted in Mac or Win my browser would be happy and say yeap valid cert, but docker login on RHEL7 would complain with messages like)

x509: certificate signed by unknown authority

I tried following directions related to using:
/etc/docker/certs.d/mydockerrepo.lan:5000/ca.crt
on https://docs.docker.com/engine/security/certificates/
It got me a better error message (which caused me to find the above site in the first place)

x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate

After 2 days of messing around I figured it out:
When I was taught programming I was taught the concept of a short self-contained example, so going to try doing that here for ansible, leveraging the openssl built-in modules, I'm running latest ansible 2.9, but this should work for ansible 2.5++ in theory:


Short Self Contained Example:

#Name this file generatecertificates.playbook.yml
#Run using Bash# ansible-playbook generatecertificates.playbook.yml
#
#What to Expect:
#Run Self Contained Stand Alone Ansible Playbook --Get--> 
# currentworkingdir/certs/
#                         ca.crt
#                         ca.key
#                         mydockerrepo.private.crt
#                         mydockerrepo.private.key
#
#PreReq Ansible 2.5++
#PreReq Bash# pip3 install cryptograph >= 1.6 or PyOpenSSL > 0.15 (if using selfsigned provider)
---
- hosts: localhost
  connection: local
  gather_facts: no
  vars:
  - caencryptionpassword: "myrootcaencryptionpassword"
  - dockerepodns: "mydockerrepo.private"
  - rootcaname: "My Root CA"



  tasks:
  - name: get current working directory
    shell: pwd
    register: pathvar
  - debug: var=pathvar.stdout



  - name: Make sub directory
    file:
      path: "{{pathvar.stdout}}/certs"
      state: directory
    register: certsoutputdir
  - debug: var=certsoutputdir.path



  - name: "Generate Root CA's Encrypted Private Key"
    openssl_privatekey: 
      size: 4096
      path: "{{certsoutputdir.path}}/ca.key" 
      cipher: auto 
      passphrase: "{{caencryptionpassword}}"
  - name: "Generate Root CA's Self Signed Certificate Signing Request"
    openssl_csr: 
      path: "{{certsoutputdir.path}}/ca.csr"
      privatekey_path: "{{certsoutputdir.path}}/ca.key"
      privatekey_passphrase: "{{caencryptionpassword}}"
      common_name: "{{rootcaname}}" 
      basic_constraints_critical: yes
      basic_constraints: ['CA:TRUE']
  - name: "Generate Root CA's Self Signed Certificate"
    openssl_certificate: 
      path: "{{certsoutputdir.path}}/ca.crt" 
      csr_path: "{{certsoutputdir.path}}/ca.csr"
      provider: selfsigned
      selfsigned_not_after: "+3650d" #Note: Mac won't trust by default due to https://support.apple.com/en-us/HT210176, but you can explitly trust to make it work.
      privatekey_path: "{{certsoutputdir.path}}/ca.key"
      privatekey_passphrase: "{{caencryptionpassword}}"
    register: cert
  - debug: var=cert



  - name: "Generate Docker Repo's Private Key"
    openssl_privatekey: 
      size: 4096
      path: "{{certsoutputdir.path}}/{{dockerepodns}}.key"
  - name: "Generate Docker Repo's Certificate Signing Request"
    openssl_csr: 
      path: "{{certsoutputdir.path}}/{{dockerepodns}}.csr"
      privatekey_path: "{{certsoutputdir.path}}/{{dockerepodns}}.key"
      common_name: "{{dockerepodns}}"
      subject_alt_name: 'DNS:{{dockerepodns}},DNS:localhost,IP:127.0.0.1'
  - name: "Generate Docker Repo's Cert, signed by Root CA"
    openssl_certificate: 
      path: "{{certsoutputdir.path}}/{{dockerepodns}}.crt"
      csr_path: "{{certsoutputdir.path}}/{{dockerepodns}}.csr"
      provider: ownca
      ownca_not_after: "+365d" #Cert valid 1 year
      ownca_path: "{{certsoutputdir.path}}/ca.crt"
      ownca_privatekey_path: "{{certsoutputdir.path}}/ca.key"
      ownca_privatekey_passphrase: "{{caencryptionpassword}}"
    register: cert
  - debug: var=cert

Interesting Gotcha/Final Step:

RHEL7Bash# sudo cp ca.crt /etc/pki/ca-trust/source/anchors/ca.crt
RHEL7Bash# sudo update-ca-trust
RHEL7Bash# sudo systemctl restart docker

The gotcha is that you have to restart docker, for docker login to recognize updates to CA's newly added to the system.



来源:https://stackoverflow.com/questions/34288371/docker-private-registry-using-selfsigned-certificates

标签
Docker
self-signed
docker-registry
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!