Search code examples
ssldockerregistryprivatex509certificate

Docker private registry | TLS certificate issue


I've tried to follow the following tutorial to setup our own private registry (v2) on an AWS Centos machine.

I've self signed a TLS certificate and placed it in /etc/docker/certs.d/MACHINE_STATIS_IP:5000/

When trying to login the registry (docker login MACHINE_IP:5000) or push a tagged repository (MACHINE_IP:5000/ubuntu:latest) i get the following error :

Error response from daemon: Get https://MACHINE_IP:5000/v1/users/: x509: cannot validate certificate for MACHINE_IP because it doesn't contain any IP SANs

Tried to search for an answer for 2 days, however I couldn't find any. I've set the certificate CN (common name) to MACHINE_STATIC_IP:5000


Solution

  • When using a self signed TLS certificate docker daemon require you to add the certificate to it's known certificates.

    Use the keytool command to grab the certificate :

    keytool -printcert -sslserver ${NEXUS_DOMAIN}:${SSL_PORT} -rfc > ${NEXUS_DOMAIN}.crt

    And copy it your client's machine SSL certificates directory (in my case - ubuntu):

    sudo cp ${NEXUS_DOMAIN}.crt /usr/local/share/ca-certificates/${NEXUS_DOMAIN}.crt && sudo update-ca-certificates

    Now reload docker daemon and you're good to go :

    sudo systemctl restart docker