Unable to get authorized/self-signed certificate using registry 2.0 / 2.0.1

[mpas]

trafficstars

When using the container i am unable to authorize even when setting the --insecure-registry option inside the /etc/default/docker file.

Authentication via browser when using https works ok, but when i try to authorize via the docker client i get an error message pointing to v1

The following error is the result when i try to authorize: FATA[0004] Error response from daemon: v1 ping attempt failed with error: Get https://ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crt

[MarvAmBass]

did you try to install the certificate on the client docker daemon?

In the case of HTTPS, if you have access to the registry's CA certificate,
no need for the flag; simply place the CA certificate at
/etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crt

[MarvAmBass]

did you add

--insecure-registry ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443

to the daemon's arguments?

[mpas]

I indeed did put the setting in the daemon arguments... at least i think i did it in the correct place..

root@ubuntu:/home/acme# cat /etc/default/docker
# Docker Upstart and SysVinit configuration file

# Customize location of Docker binary (especially for development testing).
#DOCKER="/usr/local/bin/docker"

# Use DOCKER_OPTS to modify the daemon startup options.
#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443"

# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"

# This is also a handy place to tweak where Docker's temporary files go.
#export TMPDIR="/mnt/bigdrive/docker-tmp"
root@ubuntu:/home/acme# 

restarted the docker daemon by executing: sudo service docker restart

[mpas]

I followed your tutorial on generating the certificate using: openssl req -x509 -newkey rsa:4086 -keyout key.pem -out cert.pem -days 3650 -nodes this resulted in 2 files. Stupid question maybe.. but i seem to miss the ca.crt this is not generated.

[mpas]

Could you elaborate on how i can get a ca.crt file? This needs to be added to the client docker daemon?

[MarvAmBass]

Hey mpas, this is basic ssl understanding - you should check the concept behind the whole ssl and tls stuff

in my tutorial you generate a self signed cert without the need of a CA. This is an easy way to get it running quickly but you give up many ssl features like checking the authenticity without knowing the guy who created the cert (which is you if it's selfsigned so docker won't trust this certificate without extra work)

in your case the ca.crt file is similiar to your certificate because there is no ca which signed it

did you restart your docker service after editing the config file?

[mpas]

Yep i restarted the docker service and exactly followed the provided tutorial and somehow hitting a wall. I am going to try to generate a .crt file from a .pem file and use the .crt on the client.

[MarvAmBass]

did you try to copy your cert.pem to /etc/docker/certs.d/ec2-52-17-207-222.eu-west-1.compute.amazonaws.com:443/ca.crt ?

[mpas]

That is indeed what i am going to try! Thanks for pointing me out.I was not aware that a .pem just can be used as a .crt file. Will provide an update on the status.

[stigmergy-xx]

I also meet this issue with registry 2.1, when i follow all the steps of this tutorial. It really works with the link(https://myregistry.com:443/v2/) in browser, and ask for login, and then show the empty registry. But when when i use docker command to longin, it showes like bellow. Also i have tried to add --insecure-registry myregistry.com:443 to the daemon's arguments, but it doesnt work. would you please give me some sugestion or i must turn back to registy 1.x

[root@iZ23njashoyZ nginx_registry_external]# docker login https://myregistry.com:443 Username: admin Password: Email: Error response from daemon: invalid registry endpoint https://myregistry.com:443/v0/: unable to ping registry endpoint https://myregistry.com:443/v0/ v2 ping attempt failed with error: Get https://myregistry.com:443/v2/: x509: cannot validate certificate for myregistry.com because it doesn't contain any IP SANs v1 ping attempt failed with error: Get https://myregistry.com:443/v1/_ping: x509: cannot validate certificate for myregistry.com because it doesn't contain any IP SANs. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry myregistry.com:443 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/myregistry.com:443/ca.crt

[vTNT]

hi , my problem is Error response from daemon: no successful auth challenge for https://registry.xxx.com/v2/ - errors: [basic auth attempt to https://registry.xxx.com/v2/ realm "Registry realm" failed with status: 404 Not Found]

[JonathanRosado]

I have the same problem as @stigmergy-xx

[vTNT]

@jrosadohp https://github.com/vTNT/ansible-docker-registry-v2/blob/master/nginx/templates/nginx.j2 u can try this

[edwin--zhao]

@vTNT

no successful auth challenge for https://registry.xxx.com/v2/ - errors: [basic auth attempt to https://registry.xxx.com/v2/ realm "Registry realm" failed with status: 404 Not Found]

Is there a way to solve this problem