search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.27k stars 2.37k forks source link

Login to corporate registry with self-signed cert fails #24101

Open dschulten opened 9 hours ago

dschulten commented 9 hours ago

Issue Description

I need to access a corporate registry that uses a self-signed certificate. I am using a rootful podman engine with user-mode networking in Windows 10 with a corporate proxy and proxy settings that have NO_PROXY settings containing .registry.example.com as proxy exception.

I had to go rootful with --user-mode-networking because of:

I am able to execute the test container:

podman run ubi8-micro date
Sun Sep 29 11:23:07 UTC 2024

Login into the corporate registry fails:

podman login gitlab.registry.example.com:5050
Username: example-admin
Password: 
Error: authenticating creds for "gitlab.registry.example.com:5050": pinging container registry gitlab.registry.example.com:5050: Get "https://gitlab.registry.example.com:5050/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

I have added the registry's PEM file to /etc/pki/ca-trust/source/anchors/gitlab-registry-example-com.pem using vi after establishing a root session using podman machine ssh. Then I have executed update-ca-trust, which gives me no output, normally a sign that it worked. When I inspect the PEM file, it tells me that issuer and owner have the same DN, namely gitlab.registry.example.com.

In addition to adding the self-signed certificate as a trusted certificate, I also tried to mark the registry as insecure by adding the following entry to /etc/containers/registries.conf:

[[registry]]
location = "gitlab.registry.example.com:5050"
insecure = true

That makes no difference.

Pulling and running images from the registry also fails:

Error: initializing source docker://gitlab.registry.example.com:5050/my/image/path/image:latest: pinging container registry gitlab.registry.example.com:5050: received unexpected HTTP status: 503 Service Unavailable

However, the service is not unavailable - login and pulling images in docker desktop works just fine (when I shut down the podman machine and run docker desktop instead)

I have also tried to use the Podman Desktop UI to add registries with self-signed certificates - after a lengthy period, the UI shows the following error message:

Unable to find auth info for https://gitlab.registry.example.com:5050/v2/. Error: RequestError: Bad response: 503

Steps to reproduce the issue

Steps to reproduce the issue

  1. podman login the.registry:5050
  2. Enter credentials

Describe the results you received

Login failure, certificate signed by unknown authority

Describe the results you expected

Login should work

podman info output

`podman info` shows that my registry is marked as insecure:
λ podman info 
host:
  arch: amd64
  buildahVersion: 1.37.3
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.1.12-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 99.66
    systemPercent: 0.21
    userPercent: 0.13
  cpus: 8
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: container
    version: "40"
  eventLogger: journald
  freeLocks: 2045
  hostname: SN602534
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.15.153.1-microsoft-standard-WSL2
  linkmode: dynamic
  logDriver: journald
  memFree: 15888338944
  memTotal: 16628350976
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.2-2.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.17-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240906.g6b38f07-1.fc40.x86_64
    version: |
      pasta 0^20240906.g6b38f07-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: true
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 4294967296
  swapTotal: 4294967296
  uptime: 0h 20m 31.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  gitlab.registry.example.com:5050:
    Blocked: false
    Insecure: true
    Location: gitlab.registry.example.com:5050
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: gitlab.registry.example.com:5050
    PullFromMirror: ""
  search:
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 0
    stopped: 3
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 269427478528
  graphRootUsed: 1064660992
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.2.3
  Built: 1727136000
  BuiltTime: Tue Sep 24 02:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.3

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

no environment details

Additional information

no additional information

Sativarsainath-26 commented 4 hours ago

@dschulten I set up a private registry locally with a self-signed certificate, and here is the registries.conf file I used:

[[registry]]
location = "localhost:5000"
insecure = true

To log in, I used:

root@zaasvmd:~/private-registry-certs# podman login localhost:5000
Username: testuser
Password:
Login Succeeded!

Does this match your setup, or do you have a different configuration?