search

docker-archive / docker-registry

This is **DEPRECATED**! Please go to https://github.com/docker/distribution
Apache License 2.0
2.88k stars 876 forks source link

Secured (TLS + Auth) private docker registry access (invalid registry endpoint) #1079

Open jeusdi opened 8 years ago

jeusdi commented 8 years ago

Issue Report

I've created a private docker registry with TLS and authorization: I perform this container in order to start it:

 $ docker run -d -p 5000:5000 --restart=always --name registry \
       -v /root/docker-registry/auth:/auth \
       -e "REGISTRY_AUTH=htpasswd" \
       -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
       -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
       -v /root/docker-registry/certs:/certs \
       -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
       -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
       -v /root/docker-registry/data:/var/lib/registry \
       registry:2

Everything seems to be right:

 $ netstat -tupln | grep 5000
     tcp6       0      0 :::5000       :::*      LISTEN      3160/docker-proxy
  $ docker ps
     CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                          PORTS                    NAMES
     27e79f6a504c        registry:2          "/bin/registry serve "   About an hour ago   Restarting (2) 36 minutes ago   0.0.0.0:5000->5000/tcp   registry

So registry is running and listening on port 5000.

By other hand, I set up a coreOS instance and according to this documentation I've added a .docker/config.json with authentication on docker user home with this content:

{
    "https://x.x.x.x:5000/": {
            "auth": "xxxxxxxxxxxxxxx=",
            "email": "xxxi@mail.com"
    }
}

I've already added the certificate (ca.crt) in /etc/ssl/certs and in /etc/docker/certs.d/x.x.x.x:5000/.

From this CoreOS instance, I'm trying to perform that:

$ docker login https://x.x.x.x:5000
Username: xxx
Password:
Email: xxx@mail.com

And it tells me:

Error response from daemon: invalid registry endpoint https://x.x.x.x:5000/v0/: unable to ping registry endpoint https://x.x.x.x:5000/v0/ v2 ping attempt failed with error: Get https://x.x.x.x:5000/v2/: EOF v1 ping attempt failed with error: Get https://x.x.x.x:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry x.x.x.x:5000 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/x.x.x.x:5000/ca.crt

I've also tried to get the connection directly with openssl:

openssl s_client -connect x.x.x.x:5000

The output is:

CONNECTED(00000003) 140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 308 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1467812448 Timeout : 300 (sec) Verify return code: 0 (ok)

CoreOS Version

NAME=CoreOS
ID=coreos
VERSION=1010.6.0
VERSION_ID=1010.6.0
BUILD_ID=2016-06-28-0910
PRETTY_NAME="CoreOS 1010.6.0 (MoreOS)"
ANSI_COLOR="1;32"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"

Environment

VM machine provided on VirtualBox by Vagrant.