Open mpas opened 9 years ago
dmp42
commented
9 years ago Insecure registry + authentication is not a supported scenario. The reason for that is it's possible / simple for an attacker to downgrade your traffic to http, then making the use of plain basic passwords moot.
My recommendation is that instead you put your server.crt into /etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crt
Hope that helps.
mpas
commented
9 years ago Apologies for my possible dumb question, but does this mean that the registry cannot be used when using self signed certificates?
dmp42
commented
9 years ago @mpas it can - this is why you need to trust that self-signed certificate inside docker (because it's self-signed).
Copying the crt over to /etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crt does that. (don't forget to restart docker after doing that)
mpas
commented
9 years ago @dmp42 Could it be that i need to create /etc/docker/certs.d directory? The directory now only contains a key.json file. I guess that i need to do this on the server running the registry?
dmp42
commented
9 years ago you have to create the mentioned directory. And you have to do that on any host that wants to run docker accessing that registry, not on the registry host itself.
It's like running a website with a self-signed certificate, you have to configure your browser to trust it.
mpas
commented
9 years ago @dmp42 thanks for the tips, going to test this tomorrow! Does the placement of the .crt file on the client host mean that i do not need to have the --insecure-registry ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443 anymore?
dmp42
commented
9 years ago @mpas it does. You might have to trust the cert at the OS level as well, though (since authentication here).
mpas
commented
9 years ago I was unable to get it working with the placing the ca.crt inside the certs.d directory and using the insecure registry. At the end the only thing i needed to do was to import the generated certificate inside the OS. No need for other settings.
rajeshetty87
commented
8 years ago @mpas Could you please let me know how to import the generated certificate in EC2 and make it global so docker registry can pick it up
I am trying to setup a private Docker Registry (on Amazon EC2 using Amazon Linux AMI) using the standard docker registry image and a Docker Registry Reverse Proxy (https://registry.hub.docker.com/u/marvambass/nginx-registry-proxy/)
The goal is to secure the registry using SSL (using self-signed ssl cert) and username/password authentication. This all seems to go well, when i try to navigate via browser to private docker registry using : https://ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/v2/ I get a prompt to provide a username and password and i get correct output in this case
{}But when i try to login using the docker client i seem unable to login:
FATA[0004] Error response from daemon: v1 ping attempt failed with error: Get https://ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crtI modified my /etc/default/docker file on my client machine as according to the instructions:
Restarted the docker service etc but no luck so far..