search

containers / skopeo

Work with remote images registries - retrieving information, images, signing content
Apache License 2.0
8.13k stars 769 forks source link

skopeo login failed without using --tls-verify=false #2054

Closed Tong0217 closed 1 year ago

Tong0217 commented 1 year ago

hi, I want to use skopeo copy to replace docker pull/push,but the skopeo login and skopeo copy does not work correctly without using --tls-verify=false . The log is

[service@XXXXX]$ skopeo login -u XXX  -p XXX  swr.ma-region-1.external-ma01.com
FATA[0000] authenticating creds for "swr.ma-region-1.external-ma01.com": pinging container registry swr.ma-region-1.external-ma01.com: Get "https://swr.ma-region-1.external-ma01.com/v2/": x509: certificate is not valid for any names, but wanted to match swr.ma-region-1.external-ma01.com

The log in debug mode is

[service@XXXXX]$ skopeo login -u XXX -p XXX swr.ma-region-1.external-ma01.com --debug
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Found credentials for swr.ma-region-1.external-ma01.com in credential helper containers-auth.json in file /run/containers/1100/auth.json
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/swr.ma-region-1.external-ma01.com
DEBU[0000] GET https://swr.ma-region-1.external-ma01.com/v2/
DEBU[0000] Ping https://swr.ma-region-1.external-ma01.com/v2/ err Get "https://swr.ma-region-1.external-ma01.com/v2/": x509: certificate is not valid for any names, but wanted to match swr.ma-region-1.external-ma01.com (&url.Error{Op:"Get", URL:"https://swr.ma-region-1.external-ma01.com/v2/", Err:x509.HostnameError{Certificate:(*x509.Certificate)(0xc00015e000), Host:"swr.ma-region-1.external-ma01.com"}})
DEBU[0000] GET https://swr.ma-region-1.external-ma01.com/v1/_ping
DEBU[0000] Ping https://swr.ma-region-1.external-ma01.com/v1/_ping err Get "https://swr.ma-region-1.external-ma01.com/v1/_ping": x509: certificate is not valid for any names, but wanted to match swr.ma-region-1.external-ma01.com (&url.Error{Op:"Get", URL:"https://swr.ma-region-1.external-ma01.com/v1/_ping", Err:x509.HostnameError{Certificate:(*x509.Certificate)(0xc0000d6b00), Host:"swr.ma-region-1.external-ma01.com"}})

Skopeo version is skopeo version 1.5.2 docker login and skopeo login --tls-verify=false both works correctly. Is there any solutions? Thanks so much

mtrmac commented 1 year ago

Thanks for reaching out.

This suggests that the certificate is not generated correctly to be used as a TLS certificate, to be precise it has no “DNS names” in the SubjectAltName extension (or no SubjectAltName extension). There’s some chance that it’s a code bug in the TLS stack, but very likely the administrator of the server in question needs to generate/obtain a valid certificate.

You can use e.g. openssl s_client -connect $host:443 to see the certificate being served, and openssl x509 -text to see its contents.

Tong0217 commented 1 year ago

Thanks for the answer! You are right,the reason for the error is that the image registry in the development environment has no certificate. The registry in production environment has a certificate, so i try skopeo again in the production environment, all command work correctly. Thanks !

mtrmac commented 1 year ago

Thanks for the confirmation.