Open mpas opened 9 years ago
Insecure registry + authentication is not a supported scenario. The reason for that is it's possible / simple for an attacker to downgrade your traffic to http, then making the use of plain basic passwords moot.
My recommendation is that instead you put your server.crt into /etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crt
Hope that helps.
Apologies for my possible dumb question, but does this mean that the registry cannot be used when using self signed certificates?
@mpas it can - this is why you need to trust that self-signed certificate inside docker (because it's self-signed).
Copying the crt over to /etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crt
does that. (don't forget to restart docker after doing that)
@dmp42 Could it be that i need to create /etc/docker/certs.d
directory? The directory now only contains a key.json file. I guess that i need to do this on the server running the registry?
you have to create the mentioned directory. And you have to do that on any host that wants to run docker accessing that registry, not on the registry host itself.
It's like running a website with a self-signed certificate, you have to configure your browser to trust it.
@dmp42 thanks for the tips, going to test this tomorrow! Does the placement of the .crt file on the client host mean that i do not need to have the --insecure-registry ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443
anymore?
@mpas it does. You might have to trust the cert at the OS level as well, though (since authentication here).
I was unable to get it working with the placing the ca.crt inside the certs.d directory and using the insecure registry. At the end the only thing i needed to do was to import the generated certificate inside the OS. No need for other settings.
@mpas Could you please let me know how to import the generated certificate in EC2 and make it global so docker registry can pick it up
I am trying to setup a private Docker Registry (on Amazon EC2 using Amazon Linux AMI) using the standard docker registry image and a Docker Registry Reverse Proxy (https://registry.hub.docker.com/u/marvambass/nginx-registry-proxy/)
The goal is to secure the registry using SSL (using self-signed ssl cert) and username/password authentication. This all seems to go well, when i try to navigate via browser to private docker registry using : https://ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/v2/ I get a prompt to provide a username and password and i get correct output in this case
{}
But when i try to login using the docker client i seem unable to login:
FATA[0004] Error response from daemon: v1 ping attempt failed with error: Get https://ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443
to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crtI modified my /etc/default/docker file on my client machine as according to the instructions:
Restarted the docker service etc but no luck so far..