Unable to login to docker register with x509 certificate signed by unknown authority error

lrx0014 commented 5 years ago

I installed the OKD by ansible-playbook, and I want to push/pull docker images from another machine with the public docker-registry host, I followed the hint of atomic registry web console:

Log into the registry: 
$ sudo docker login -p w4cu5RvMdI1TAaQXshjdtNCgSgPkkopifwKz6F8_1EA -e unused -u unused docker-registry-default.master.openshift.me

Log into OpenShift command line tools: 
$ oc login --token w4cu5RvMdI1TAaQXshjdtNCgSgPkkopifwKz6F8_1EA master.openshift.me:8443

but I get a x509: certificate signed by unknown authority error when I executed docker login command.

next I followed this page to add a registry.crt to /etc/docker/cert.d/docker-registry-default.master.openshift.me/:

https://access.redhat.com/solutions/3654811

It still unable to login in.

Moreover why the value of param '-u' is 'unused' ? is that normal ？

Version

openshift v3.11.0+62803d0-1 kubernetes v1.11.0+d4cacc0 features: Basic-Auth GSSAPI Kerberos SPNEGO

docker-1.13.1-87.git07f3374.el7.x86_64

Steps To Reproduce

Installed OKD with ansible

$ oc get po,svc,route

NAME                           READY     STATUS    RESTARTS   AGE
pod/docker-registry-1-ksr45    1/1       Running   2          1h
pod/registry-console-1-h9hch   1/1       Running   2          1h
pod/router-2-jdx6j             1/1       Running   0          30m

NAME                       TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                   AGE
service/docker-registry    ClusterIP   172.30.16.246   <none>        5000/TCP                  1h
service/kubernetes         ClusterIP   172.30.0.1      <none>        443/TCP,53/UDP,53/TCP     1h
service/registry-console   ClusterIP   172.30.4.22     <none>        9000/TCP                  1h
service/router             ClusterIP   172.30.23.27    <none>        80/TCP,443/TCP,1936/TCP   1h

NAME                                        HOST/PORT                                        PATH      SERVICES           PORT      TERMINATION   WILDCARD
route.route.openshift.io/docker-registry    docker-registry-default.master.openshift.me              docker-registry    <all>     passthrough   None
route.route.openshift.io/registry-console   registry-console-default.master.openshift.me             registry-console   <all>     passthrough   None

add registry.crt to /etc/docker/cert.d/.........

Current Result

$ sudo docker login -p w4cu5RvMdI1TAaQXshjdtNCgSgPkkopifwKz6F8_1EA -e unused -u unused docker-registry-default.master.openshift.me

Error response from daemon: Get https://docker-registry-default.master.openshift.me/v1/users/: x509: certificate signed by unknown authority

spock123 commented 5 years ago

@lrx0014 did you solve this? Having same issue.. thanks

lrx0014 commented 5 years ago

@spock123 I copied the path /etc/docker/cert.d/docker-registry.default.svc:5000 to /etc/docker/cert.d/docker-registry-default.master.openshift.me

and the docker-registry-default.master.openshift.me is the public address of my openshift docker registry, then the docker login command returned "login success"

spock123 commented 5 years ago

Thank you, yes I resolved it the same way.

Thanks

On Wed, Mar 27, 2019, 03:29 Renxiang notifications@github.com wrote:

@spock123 https://github.com/spock123 I copied the path /etc/docker/cert.d/docker-registry.default.svc:5000 to /etc/docker/cert.d/docker-registry-default.master.openshift.me http://docker-registry-default.master.openshift.me

and the docker-registry-default.master.openshift.me http://docker-registry-default.master.openshift.me is the public address of my openshift docker registry, then the docker login command returned "login success"

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openshift/origin/issues/21691#issuecomment-476940593, or mute the thread https://github.com/notifications/unsubscribe-auth/ABNWdEdDtsCbc5NFOKGg7fHXVbaq9Zs2ks5vateHgaJpZM4Zbou6 .

gielvandanu commented 5 years ago

@spock123 I copied the path /etc/docker/cert.d/docker-registry.default.svc:5000 to /etc/docker/cert.d/docker-registry-default.master.openshift.me

and the docker-registry-default.master.openshift.me is the public address of my openshift docker registry, then the docker login command returned "login success"

Sorry, I'm having the same issue. I still dont understand. What did you actually do? Copy the certificate to docker-registry-default.master.openshift.me ?

spock123 commented 5 years ago

@gielvandanu

First you generate a certificate on the registry (modify to use your service/server names instead of mine:) In the following my registry service is at registry.testcloud.oresundsbron and the host of the registry is njord.oresundsbron.com

oc adm ca create-server-cert \
    --signer-cert=/etc/origin/master/ca.crt \
    --signer-key=/etc/origin/master/ca.key \
    --signer-serial=/etc/origin/master/ca.serial.txt \
    --hostnames='registry.testcloud.oresundsbron.com,njord.oresundsbron.com, docker-registry-default.testcloud.oresundsbron.com, 10.49.1.12' \
    --cert=/etc/secrets/registry.crt \
    --key=/etc/secrets/registry.key

Then you copy generated certificate file /etc/origin/master/ca.crt to your docker client machine at /etc/docker/certs.d/docker-registry-default.testcloud.oresundsbron.com

Restart docker service on the client machine so the new certificate is registered

Get a token from the registry:

oc login
oc whoami -t

Now login to your registry from the client machine:

docker login -u <your-oc-login-name> -p <token-from-whoami> docker-registry-default.testcloud.oresundsbron.com

Hope this helps.. if you ask me it's a mess

gielvandanu commented 5 years ago

@spock123 thank you. it works!!

spock123 commented 5 years ago

@gielvandanu that's great to hear! Super!!!

openshift / origin