I have a docker distribution v2 registry which i'm using as a mirror. It works using Docker for Mac Community Edition 17.03.1-ce-mac12 (17661), but I am getting a "certificate signed by unknown authority" error when accessing it from a docker-machine node. The setup is as follows:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout "/certs/domain.key" -x509 -days "365" -out "/certs/domain.cert" -subj /CN=“192.168.17.11”
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $DIR/devenv/domain.cert
docker run -d --restart=always -p 6000:5000 --name registry-mirror -v /Volumes/Data/registry_cache:/var/lib/registry registry:2 /var/lib/registry/config.yml
docker pull busybox
curl -k https://192.168.17.11:6000/v2/_catalog
{"repositories":["library/busybox"]}
docker-machine create -d virtualbox —engine-registry-mirror https://192.168.17.11:6000 mynode
docker-machine ssh mynode "sudo mkdir -p /etc/docker/certs.d/192.168.17.11:6000 && sudo chmod -R 777 /etc/docker/certs.d"
docker-machine scp $DIR/devenv/domain.cert mynode:/etc/docker/certs.d/192.168.17.11:6000/domain.cert
docker-machine scp $DIR/devenv/domain.key mynode:/etc/docker/certs.d/192.168.17.11:6000/domain.key
docker-machine restart mynode
eval $(docker-machine env mynode)
docker info
… Registry Mirrors:
docker pull busybox
cat /var/log/docker.log
… time="2017-05-30T12:33:01.593516721Z" level=debug msg="Trying to pull busybox from https://192.168.17.11:6000/ v2"
time="2017-05-30T12:33:02.539391694Z" level=warning msg="Error getting v2 registry: Get https://192.168.17.11:6000/v2/: x509: certificate signed by unknown authority"
I'm not sure how to get the boot2docker VM to accept the certificate used by the docker duplication v2 registry mirror. Other examples copy a ca.crt for the certificate authority into /etc/certs.d/, but this certificate is self-signed.
A reboot of the OSX box hosting this setup appears to have resolved the problem and for now, pending time to pin it down, this is Good Enough.