search

datawire / forge

Define and run multi-container apps in Kubernetes
http://forge.sh
Apache License 2.0
416 stars 43 forks source link

Error when using docker registry with self-signed certificates #141

Closed beniamin closed 6 years ago

beniamin commented 6 years ago

I am trying to use forge with private docker registry deployed with self-signed certificates, but I encounter following error:

║ == Checking Kubernetes Setup == ║ ║ kubectl version --short ║ Client Version: v1.9.2 ║ Server Version: v1.9.2 ║ 1 tasks run, 0 errors ║ kubectl get service kubernetes --namespace default ║ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ║ kubernetes ClusterIP 10.96.0.1 443/TCP 2d ║ 1 tasks run, 0 errors ║ ║ == Setting up Docker == ║ ║ Registry type (one of ecr, gcr, generic)[generic]: ║ Docker registry url[registry.hub.docker.com]: gen-centos755201-all-dev.idoc-alpha.c.emag.network ║ Docker user: testuser ║ Docker password: ║ Docker namespace/organization (use "-" to leave unspecified): - ║ ║ registry: {type: docker, url: gen-centos755201-all-dev.idoc-alpha.c.emag.network, ║ user: testuser, password: 'dGVzdHBhc3N3b3Jk ║ ║ ', namespace: null} ║ ║ docker login -u testuser -p gen-centos755201-all-dev.idoc-alpha.c.emag.network ║ WARNING! Using --password via the CLI is insecure. Use --password-stdin. ║ Login Succeeded ║ docker pull registry.hub.docker.com/datawire/forge-setup-test:1 ║ 1: Pulling from datawire/forge-setup-test ║ Digest: sha256:c0537ff6a5218ef531ece93d4984efc99bbf3f7497c0a7726c88e2bb7584dc96 ║ Status: Image is up to date for registry.hub.docker.com/datawire/forge-setup-test:1 ║ docker tag registry.hub.docker.com/datawire/forge-setup-test:1 gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test:dummy ║ docker push gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test:dummy ║ The push refers to repository [gen-centos755201-all-dev.idoc-alpha.c.emag.network/forge_test] ║ e154057080f4: Preparing ║ e154057080f4: Layer already exists ║ dummy: digest: sha256:11a6af2edd09100d7a35abacacefd269404cf44aff537668235321d4f4caa485 size: 528 ║ GET https://gen-centos755201-all-dev.idoc-alpha.c.emag.network/v2/None/forge_test/manifests/dummy ║ 16 tasks run, 1 errors ║ setup: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) ║ ║ -- please try again -- ║ ║ Registry type (one of ecr, gcr, generic)[generic]:

My environment:

Pushing and pulling images from same registry is working with docker push and pull commands.

rhs commented 6 years ago

Thanks for taking the time to report this. Is there any chance you can supply the output of python --version and python -c "import ssl; print ssl.OPENSSL_VERSION"?

beniamin commented 6 years ago

Sure.

~ ᐅ python --version Python 2.7.10 ~ ᐅ python -c "import ssl; print ssl.OPENSSL_VERSION" LibreSSL 2.2.7

ewildee commented 6 years ago

I am having the same problem with a self-signed OpenShift registry.

Directly pushing and pulling with Docker works, and also forge succeeds to push to the registry, but fails with setup: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) after GET xxx/v2/xxx/forge_test/manifests/dummy

ewildee commented 6 years ago

Update: After adding a Let's Encrypt certificate, the setup successfully finished. Probably the problem is indeed with using self-signed certificates for the Docker registry

jmeickle commented 6 years ago

Also ran into this with a self signed cert.

rhs commented 6 years ago

I just released forge 0.4.7 with a fix for this issue. You can read the (quick and dirty) docs here: https://forge.sh/docs/reference/self-signed-registries