docker-registry
docker-registry copied to clipboard
docker-archive
Secured (TLS + Auth) private docker registry access (invalid registry endpoint)
Issue Report
I've created a private docker registry with TLS and authorization: I perform this container in order to start it:
$ docker run -d -p 5000:5000 --restart=always --name registry \
-v /root/docker-registry/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /root/docker-registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
-v /root/docker-registry/data:/var/lib/registry \
registry:2
Everything seems to be right:
$ netstat -tupln | grep 5000
tcp6 0 0 :::5000 :::* LISTEN 3160/docker-proxy
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
27e79f6a504c registry:2 "/bin/registry serve " About an hour ago Restarting (2) 36 minutes ago 0.0.0.0:5000->5000/tcp registry
So registry is running and listening on port 5000.
By other hand, I set up a coreOS instance and according to this documentation I've added a .docker/config.json with authentication on docker user home with this content:
{
"https://x.x.x.x:5000/": {
"auth": "xxxxxxxxxxxxxxx=",
"email": "[email protected]"
}
}
I've already added the certificate (ca.crt) in /etc/ssl/certs and in /etc/docker/certs.d/x.x.x.x:5000/.
From this CoreOS instance, I'm trying to perform that:
$ docker login https://x.x.x.x:5000
Username: xxx
Password:
Email: [email protected]
And it tells me:
Error response from daemon: invalid registry endpoint https://x.x.x.x:5000/v0/: unable to ping registry endpoint https://x.x.x.x:5000/v0/ v2 ping attempt failed with error: Get https://x.x.x.x:5000/v2/: EOF v1 ping attempt failed with error: Get https://x.x.x.x:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry x.x.x.x:5000to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/x.x.x.x:5000/ca.crt
I've also tried to get the connection directly with openssl:
openssl s_client -connect x.x.x.x:5000
The output is:
```
CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1467812448
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
```
CoreOS Version
NAME=CoreOS
ID=coreos
VERSION=1010.6.0
VERSION_ID=1010.6.0
BUILD_ID=2016-06-28-0910
PRETTY_NAME="CoreOS 1010.6.0 (MoreOS)"
ANSI_COLOR="1;32"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"
Environment
VM machine provided on VirtualBox by Vagrant.
