watchtower icon indicating copy to clipboard operation
watchtower copied to clipboard
verified publisher icon containrrr

Enable import of certificate for private HTTPS secure registry

Open sparky3387 opened this issue 3 years ago • 5 comments

I did a search and could not find a similar issue or request, on this line it creates the TLS variable in GO to login to the docker registry, are we able to pass in a custom CA certificate for this stage

TLSConfig Variable

The lack of a CA certificate causes the following error:

2022-05-02T02:20:03Z [D] Reason: Get "https://docker-registry:443/v2/": x509: certificate signed by unknown authority
                         container: /containername
                         image: docker-registry:443/containername-image
2022-05-02T02:20:03Z [D] Pulling image
                         container: /containername
                         image: docker-registry:443/containername-image
2022-05-02T02:20:03Z [D] Error pulling image docker-registry:443/containername-image, Error response from daemon: Get "https://docker-registry:443/v2/": x509: certificate signed by unknown authority
2022-05-02T02:20:03Z [I] Unable to update container "/containername": Error response from daemon: Get "https://docker-registry:443/v2/": x509: certificate signed by unknown authority. Proceeding to next.

A link on how the TLSConfig variable can be setup to work in this configuration

sparky3387 avatar May 02 '22 02:05 sparky3387

Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏

github-actions[bot] avatar May 02 '22 02:05 github-actions[bot]

Yeah, initial work for allowing custom certs for notification service was started in https://github.com/containrrr/shoutrrr/pull/185, and the cert pool would need to be seeded from watchtowers side. Using the same pool (or another) for the docker registry lookups shouldn't be an issue. Generally, what needs to be defined is a way to get the certificates into the container. Easiest solution is to just check if a folder exists inside the container and load all certificates from that folder on startup. That way you could just place the certs in a volume.

piksel avatar May 02 '22 09:05 piksel

Hi @piksel , wanted to understand about the status for the support to add custom CAs for watchtower. The above pull request is active, so I'm assuming such support doesn't exist yet in Watchtower?

intmainreturnzero avatar Mar 08 '24 02:03 intmainreturnzero