search

project-zot / zot

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
https://zotregistry.dev
Apache License 2.0
869 stars 93 forks source link

[Bug]: `tlsVerify` does not work for sync #2557

Open Jauchi opened 1 month ago

Jauchi commented 1 month ago

zot version

v2.1.0 (docker/helm)

Describe the bug

Hello! It seems like the sync plugin does not respect the tlsVerify setting.

To reproduce

  1. Configuration 
    
{
"storage": {
"rootDirectory": "/var/lib/registry",
"gc": true
},
"http": {
"address": "0.0.0.0",
"port": "5000"
},
"log": {
"level": "debug"
},
"extensions": {
"search": {
  "enable": true
},
"ui": {
  "enable": true
},
"sync": {
  "enable": true,
  "credentialsFile": "/etc/zot/auth.json",
  "registries": [
    {
      "urls": [
        "https://registry.p1ng.link/"
      ],
      "content": [
        {
          "prefix": "**",
          "destination": "/p1nglink"
        }
      ],
      "onDemand": true,
      "tlsVerify": false,
      "certDir": "/etc/zot/ca/",
      "onlySigned": false
    }
  ]
}
}
}

2. `docker pull` from the zot registry (goes to the `p1nglink` registry)
3. Log reads: `{"level":"error","error":"Get \"https://registry.p1ng.link/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority","url":"https://registry.p1ng.link/v2/","component":"sync","errorType":"*url.Error","goroutine":1,"caller":"zotregistry.dev/zot/pkg/extensions/sync/httpclient/client.go:272","time":"2024-07-21T14:47:22.930557924Z","message":"failed to make request"}`

### Expected behavior

Pull should succeed.

### Screenshots

_No response_

### Additional context

I also haven't been able to import the certificate into the container, any help in that direction would also be greatly appreciated (what file goes where)?
peusebiu commented 1 month ago

Hello @Jauchi. Thanks for trying zot!

I'm not sure what is the problem but I took a guess and pushed a patch for this: https://github.com/project-zot/zot/pull/2558 Can you try it please?

Also, can you post the logs please?

Thank you!

Jauchi commented 1 month ago

Hi there! Sorry for the late response - I actually tried running your commit and didn't realize that your forked was a lot older than expected, so I was hitting errors I couldn't explain before (all good now and I learned a couple of things about docker as well ;).

Right, I ran 1.2.0 with your patch applied:

Not quite sure what you mean by log, is this what you're looking for? log.txt helm_values.txt

Jauchi commented 1 month ago

Right, I ran 1.2.0 with your patch applied

Sorry, meant 2.1.0 - everything else still applies.

rchincha commented 1 month ago

{"level":"error","error":"Get \"https://registry.p1ng.link/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown

@Jauchi the host above has an invalid certificate - the issuer is unknown and hence unsafe. Is this really what you want? If so, would just download the CA cert and launch zot from a container.

Jauchi commented 1 month ago

Hi there! Correct, that's exactly what I tried to do using certDir. When that failed, I set tlsVerify to false, which also did not work - hence the issue.

According to my understanding, the helm_values.txt should be set correctly, that's why I'm assuming it's a bug with zot.

rchincha commented 1 month ago

https://github.com/project-zot/zot/pull/2558 ^ does this fix your issue?

Jauchi commented 1 month ago

2558 ^ does this fix your issue?

No, I don't think it does, doesn't seem to have any effect. Maybe I messed something up. Could you check whether or not you get an error with an invalid SSL certificate? https://untrusted-root.badssl.com/ as URL should work when skipping CA checks (but will fail because it's not a registry)

https://github.com/project-zot/zot/issues/2557#issuecomment-2243551441