distribution-library-image icon indicating copy to clipboard operation
distribution-library-image copied to clipboard

Published 20 hours ago verified publisher icon distribution

registry incompatible with Let's Encrypt

Open x3nb63 opened this issue 5 years ago • 8 comments

because they turn off their ACMEv1 API .

I use

docker run -d -p 443:5000 --name registry \
  -v `pwd`:/etc/docker/registry/ \
  -v registry:/var/lib/registry \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
  -e REGISTRY_HTTP_HOST=https://docker.example.com \
  -e REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE=/etc/docker/registry/letsencrypt.json \
  -e [email protected] \
  registry:2

and get this error:

FATA[0001] register: acme: Error 403 - urn:acme:error:unauthorized - Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

so I guess the registry:2 images needs to support ACMEv2

x3nb63 avatar Nov 29 '19 13:11 x3nb63

any updates please? I do have same issue

RehakOndrej avatar Jan 06 '20 15:01 RehakOndrej

Please vote here too if you haven't already https://github.com/docker/distribution/issues/3041

xx0r avatar Jan 10 '20 11:01 xx0r

ditto

robogeek avatar Sep 28 '20 01:09 robogeek

+1

containerman17 avatar Oct 09 '20 20:10 containerman17

This is ridiculous. I posted a workaround in another repo, but customers should not have to hack the base Docker registry image to get a binary that is compliant with current standards. Let's Encrypt stopped supporting ACME v1 almost 18 months ago, and the binary in the image is over 2 years old per the history on this repo. Please take the time to fix the binary and do right by your userbase, or it won't be a surprise when they dump Docker for podman.

wilminator avatar May 21 '21 01:05 wilminator

well, I am about doing just that.

Worked around this ticket long ago by placing Traefik in front of the registry (be aware of its automatic reporting enabled by default!)

For the registry looking into running Project Quay meawhile. Access Controls is also a thing...

x3nb63 avatar May 21 '21 08:05 x3nb63

@wilminator there is no such thing as "customers" of distribution. distribution has never been a product, but rather an OSS project. Besides, distribution has been recently donated to CNCF and is currently in the process of sorting out some things so that the project can get back to better shape than it is now.

milosgajdos avatar May 22 '21 16:05 milosgajdos

Its compatible with Letsencrypt you have to map

environment:
    REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: "/certs/live/registry.you-domain.com/fullchain.pem"
    REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/live/registry.you-domain.com/fullchain.pem"
    REGISTRY_HTTP_TLS_KEY: "/certs/live/registry.you-domain.com/privkey.pem"
volumes:
      - "/etc/letsencrypt:/certs"

wifidabba avatar Feb 11 '23 16:02 wifidabba