docker_auth icon indicating copy to clipboard operation
docker_auth copied to clipboard

Published 20 hours ago verified publisher icon cesanta

seems like docker_auth and registry both can't work on same ip with letsencrypt

Open chrishecker opened this issue 7 years ago • 3 comments

After a bunch of debugging, it appears letsencrypt requires the requester to be able to reply on 443, so if you've got registry and docker_auth both using it for SSL certs you're out of luck? I wonder if it would be possible to have docker_auth use the json file from registry's letsencrypt request, which would be one way to solve this problem?

Otherwise I think I'm going to have to either get a "real" ssl cert for this server, or set up letsencrypt outside of registry and docker_auth and have it fetch the certs on a cron job? Hmm, or I guess I could let registry fetch the certs and then write a little cron job to suck them out of the letsencrypt.json file and restart the docker_auth container...

Any thoughts?

Thanks for making docker_auth, looks like it's going to be super useful once I get it to work. :)

Chris

chrishecker avatar Dec 25 '17 01:12 chrishecker

@chrishecker I've solved this by using caddy to deal with letsencrypt and have it proxy to the registry and auth server. If you want you can see how I have it set up here: https://github.com/techknowlogick/docker-registry

techknowlogick avatar Dec 25 '17 05:12 techknowlogick

So I didn't really like the idea of another heavyweight moving part like a proxy server in the mix, and so I went a little crazy and realized that I could use the busybox environment that docker_auth is in to run a shell script that can take the main registry letsencrypt.json file and blow it out to a key and pem file for docker_auth, and if you modify the auth_config.yml file there's already code in docker_auth to restart with the new key and pem. It then sleeps and checks the json every so often...it probably should use inotify. It needs a little cleaning up, but it seems like a pretty clean solution until docker_auth can just take the letsencrypt.json file in its config and parse it when it changes, which is the right solution. Seems like it would only be a few lines of code but I don't have a go dev env set up so I haven't messed with it yet.

I can clean this code up and post it if others are interested. I'm not sure if the right way is to inject this thing into docker_auth or have it just be another container in a compose file and they share the json file and whatnot. I assume the latter but I'm new to this container thing.

Chris

chrishecker avatar Dec 25 '17 09:12 chrishecker

Okay, I just went ahead and wrote the code for this in docker_auth, it's way cleaner that way. Here's the pull request, and the comment mentions the issues (nothing serious, a bit of a bootstrap ordering, and a note about testing): https://github.com/cesanta/docker_auth/pull/211

chrishecker avatar Dec 26 '17 08:12 chrishecker