'notary list' working on local host but not from remote host

[chunglam1999]

1. notary Version: 0.4.2 Git commit: c8aa8cf

2. notary server version (0.5.0)

3. local private registry

4. Local host: [root@localhost ~]# notary -s https://127.0.0.1:4443 -d ~/.docker/trust list stacy.com/release NAME DIGEST SIZE (BYTES) ROLE

   ---

   v1 a74dc453303e98523f20bb0a6c9074c18c7db46b5ce35ea88e24d3e631da0f3d 85 targets v2 cb6ca5b56d860b580d48f410fd78573ca303e8f5dcdab0c82969e6e1055f10d8 113 targets

5. Remote host: [root@lenovo-2 ~]# notary --debug -s https://192.168.1.4:4443 -d ~/.docker/trust list stacy.com/release DEBU[0000] Using the following trust directory: /root/.docker/trust DEBU[0000] Trusting 1 certs
   ERRO[0000] could not reach https://192.168.1.4:4443: Get https://192.168.1.4:4443/v2/: x509: certificate is valid for 127.0.0.1, not 192.168.1.4 INFO[0000] continuing in offline mode
   DEBU[0000] No yubikey found, using alternative key storage: no library found

• fatal: client is offline

  6. The notary-server.crt is:

     openssl x509 -in /root/notary/fixtures/root-ca.crt -text -noout X509v3 extensions: X509v3 Authority Key Identifier: keyid:2F:8E:9A:D7:A6:EB:6B:35:09:D5:88:52:0D:71:AF:F6:18:B0:B3:18

     X509v3 Basic Constraints: critical
         CA:FALSE
     X509v3 Extended Key Usage: 
         TLS Web Server Authentication, TLS Web Client Authentication
     X509v3 Key Usage: critical
         Digital Signature, Key Encipherment
     X509v3 Subject Alternative Name: 
         DNS:notary-server, DNS:notaryserver, DNS:localhost, IP Address:127.0.0.1

It seems the notary server only accepts the connect from local host

[chunglam1999]

it seems the notary server has configured to accpt requests from local host: regenerateTestingCerts.sh cat > "notary-server.cnf" <<EOL [notary_server] authorityKeyIdentifier=keyid,issuer basicConstraints = critical,CA:FALSE extendedKeyUsage=serverAuth,clientAuth keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = DNS:notary-server, DNS:notaryserver, DNS:localhost, IP:127.0.0.1 subjectKeyIdentifier=hash EOL

[riyazdf]

@chunglam1999: yep, as you point out, regenerateTestingCerts.sh is meant to generate test fixtures for running on localhost or notary-server/notaryserver DNS. You can try locally overriding an /etc/hosts entry for notaryserver and the remote IP if this is for testing purposes.

That said, we recommend generating your own certificates in a production setting, and you can probably modify that script to fit your needs

[endophage]

It seems like this is resolved and due to incorrectly configured x509 certificates. Closing the issue. Please re-open if this is not the case or file a new issue for anything else that comes up.