Open devzsolt opened 5 years ago
Looks like adding the cert to /usr/local/share/ca-certificates/
and updating resolves the problem. So it feels like a minor bug for not supporting certs in /etc/docker/certs.d
The push/pull story is being reworked as part as moving to the CNAB runtime. I have no idea if/when it will fix the issue, but that is the reason we did not report back sooner on this. Sorry!
Looks like adding the cert to
/usr/local/share/ca-certificates/
and updating resolves the problem. So it feels like a minor bug for not supporting certs in/etc/docker/certs.d
Would this work with Docker Desktop for Mac ?
This is still broken:
$ ./bin/docker-app -D app pull hub.foundries.io/andy-corp/skiparchs@sha256:882cee7b2978dd6d79f68cf0f1c683c644c96d558ade759171cad57269bd7d29
DEBU[0000] insecure registries: []
DEBU[0000] Pulling CNAB Bundle hub.foundries.io/andy-corp/skiparchs@sha256:882cee7b2978dd6d79f68cf0f1c683c644c96d558ade759171cad57269bd7d29
DEBU[0000] Getting OCI Index Descriptor
hub.foundries.io/andy-corp/skiparchs@sha256:882cee7b2978dd6d79f68cf0f1c683c644c96d558ade759171cad57269bd7d29: failed to resolve bundle manifest "hub.foundries.io/andy-corp/skiparchs@sha256:882cee7b2978dd6d79f68cf0f1c683c644c96d558ade759171cad57269bd7d29": failed to do request: Head https://hub.foundries.io/v2/andy-corp/skiparchs/manifests/sha256:882cee7b2978dd6d79f68cf0f1c683c644c96d558ade759171cad57269bd7d29: x509: certificate signed by unknown authority
I can get it further along with a hack like: partial-fix.diff.txt. Its roughly copied from github.com/docker/docker/registry/registry.go. However, I don't see a sane way of handling this in docker-app. The containerd code path for this seems to want the TLS config ahead of time before the code knows what host it needs to connect to.
I've found a slightly better way, but its still probably something that's not palatable to the upstream:
https://github.com/doanac/app/commit/f26d65516dfa77766f46eb9129cd8f3e424a4826
Description
I have a self-hosted registry provided by harbor which works well with
docker
anddocker-compose
. The registry is only accessible through HTTPS and the certificate is self-signed. For this to make work I needed to put theca.crt
into/etc/docker/certs.d/my.domain:customport/
.docker login
was successful. Seems likedocker-app
doesn't consider the savedca.crt
but rather fails pushing.This is the exact same error with
docker
before putting theca.crt
in place.Steps to reproduce the issue:
ca.crt
into/etc/docker/certs.d/your.domain:customport/
Describe the results you received:
Error: Get https://my.domain:customport/v2/: x509: certificate signed by unknown authority
Describe the results you expected:
A successful push to the registry.
Additional information you deem important (e.g. issue happens only occasionally):
It happens always.
Output of
docker version
:Output of
docker-app version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Running on DigitalOcean but I believe it doesn't matter.