Search code examples
linuxdockerssldocker-registrypodman

How can I update the self-signed SSL/TLS certificate of the Docker private registry without needing to remove the existing images?

I have a docker private registry deployed locally at 127.0.0.1:443, which is protected with a self-signed SSL/TLS certificate. This registry contains images that are used during container deployment.

However, I am currently facing an issue where the SSL/TLS certificate has expired, and I am no longer able to log in using the command:

docker login -u 'username:test' https://127.0.0.1:443

executing the above command results in the following error:

Error response from daemon: Get "https://127.0.0.1:443/v2/": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-01-01T14:04:11+04:30 is after 2023-11-12T05:19:15Z

What I did was to generate a new set of certificates and then restart/reinitialize the Docker container as follows:

docker run -d \                                                                                                         
--restart=always \
--name registry \
-v `pwd`/auth:/auth \
-v `pwd`/certs:/certs \
-v `pwd`/certs:/certs \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/certificate.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/private.key \
-p 443:443 registry:2

This approach was successful, but as you can observe, it represents a fresh deployment. Consequently, all the images have been removed from the registry.

2nd Guess: I also uploaded the new certificates to the docker container as follows:

docker cp certs <registry_container_id>:/certs

and restarted the container:

docker restart <registry_container_id>

The aforementioned action led to the private key not being parsed, consequently causing the container to fail during the restart.

On another note, is there a method to update the SSL/TLS certificate of the Docker registry without causing any disruptions?

Solution

  • The registry image stores uploaded images at /var/lib/registry, so to persist them from container instance to container instance, you need to map a volume or a host directory to that path.

    For instance, if you want to store the images in a volume called my-images, you'd add

    -v my-images:/var/lib/registry

    to your docker run command.