How to get Clair to trust a self signed cert..

[moljnir]

Hi,

Perhaps I am missing a vital step, but given Docker's preference for secure registries, I have a self signed cert which is located in /etc/docker/certs.d/<host.domain>/ca.crt and have extended Clair to pick this up in a mapped volume (/usr/share/ca-certificates).

However, when it pulls a blob from the registry, it complains about the certificate being signed by an unknown authority. The ca.cert is a concatenation of the server cert and the root CA cert.

Are there some additional steps to make it add this self signed certificate to its truststore?

(yes, I know, a real certificate would work, but for internal purposes, I do not need one)

[the-nw1-group]

You can turn off TLS checking in clair by adding --insecure-tls as a command line argument that clair uses to run, e.g.,:

command: [--log-level=debug, --config, /config/config.yml, --insecure-tls

There's more information here, including, I think, where to add the certificates in the config.yml file if you're unhappy with insecure TLS.

[bredamatt]

Hi, unfortunately when I try this I get the following error:

flag provided but not defined: -insecure-tls Usage of /clair: -config string Load configuration from the specified file. (default "/etc/clair/config.yaml") -cpu-profile string Write a CPU profile to the specified file before exiting. -log-level string Define the logging level. (default "info")

[iamnagu]

Hi, unfortunately when I try this I get the following error:

flag provided but not defined: -insecure-tls Usage of /clair: -config string Load configuration from the specified file. (default "/etc/clair/config.yaml") -cpu-profile string Write a CPU profile to the specified file before exiting. -log-level string Define the logging level. (default "info")

can you please let me know if you are able to fix this error? I'm facing the same issue