docker-gitlab
docker-gitlab copied to clipboard
sameersbn
gitlab docker registry exception
I config as https://github.com/sameersbn/docker-gitlab/blob/master/docs/container_registry.md,But when I visit the gitlab project registry,it throw exception
postgresql_1 | LOG: autovacuum launcher started
registry_1 | 2017/08/01 03:17:24 http: TLS handshake error from 172.18.0.5:44478: remote error: unknown certificate authority
registry_1 | 2017/08/01 03:17:24 http: TLS handshake error from 172.18.0.5:44482: remote error: unknown certificate authority
registry_1 | time="2017-08-01T03:15:57.86794915Z" level=info msg="redis not configured" go.version=go1.6.2 instance.id=75361df8-2d83-4127-b341-7dc0b01aac68 service=registry version=v2.4.1
registry_1 | time="2017-08-01T03:15:57.868189065Z" level=info msg="Starting upload purge in 43m0s" go.version=go1.6.2 instance.id=75361df8-2d83-4127-b341-7dc0b01aac68 service=registry version=v2.4.1
registry_1 | time="2017-08-01T03:15:57.917945306Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.6.2 instance.id=75361df8-2d83-4127-b341-7dc0b01aac68 service=registry version=v2.4.1
registry_1 | time="2017-08-01T03:15:57.973284849Z" level=info msg="listening on [::]:5000, tls" go.version=go1.6.2 instance.id=75361df8-2d83-4127-b341-7dc0b01aac68 service=registry version=v2.4.1
registry_1 | 2017/08/01 03:17:24 http: TLS handshake error from 172.18.0.5:44478: remote error: unknown certificate authority
registry_1 | 2017/08/01 03:17:24 http: TLS handshake error from 172.18.0.5:44482: remote error: unknown certificate authority
registry_1 | time="2017-08-01T03:23:17.689118547Z" level=info msg="redis not configured" go.version=go1.6.2 instance.id=58ea19bc-081a-4d7f-bc70-b61e09a576eb service=registry version=v2.4.1
registry_1 | time="2017-08-01T03:23:17.68913287Z" level=info msg="Starting upload purge in 21m0s" go.version=go1.6.2 instance.id=58ea19bc-081a-4d7f-bc70-b61e09a576eb service=registry version=v2.4.1
registry_1 | time="2017-08-01T03:23:17.70543504Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.6.2 instance.id=58ea19bc-081a-4d7f-bc70-b61e09a576eb service=registry version=v2.4.1
registry_1 | time="2017-08-01T03:23:17.70681793Z" level=info msg="listening on [::]:5000, tls" go.version=go1.6.2 instance.id=58ea19bc-081a-4d7f-bc70-b61e09a576eb service=registry version=v2.4.1
registry_1 | 2017/08/01 03:23:46 http: TLS handshake error from 172.18.0.5:44498: remote error: unknown certificate authority
registry_1 | 2017/08/01 03:23:47 http: TLS handshake error from 172.18.0.5:44508: remote error: unknown certificate authority
Have you resolved your issue?
It looks like your registry does not recognize your certificates;
registry_1 | 2017/08/01 03:17:24 http: TLS handshake error from 172.18.0.5:44478: remote error: unknown certificate authority
registry_1 | 2017/08/01 03:17:24 http: TLS handshake error from 172.18.0.5:44482: remote error: unknown certificate authority
registry_1 | 2017/08/01 03:17:24 http: TLS handshake error from 172.18.0.5:44478: remote error: unknown certificate authority
registry_1 | 2017/08/01 03:17:24 http: TLS handshake error from 172.18.0.5:44482: remote error: unknown certificate authority
registry_1 | 2017/08/01 03:23:46 http: TLS handshake error from 172.18.0.5:44498: remote error: unknown certificate authority
registry_1 | 2017/08/01 03:23:47 http: TLS handshake error from 172.18.0.5:44508: remote error: unknown certificate authority
Have you shared your certificates between each container? https://github.com/sameersbn/docker-gitlab/blob/master/docs/container_registry.md#signed-certificate
This issue has been automatically marked as stale because it has not had any activity for the last 60 days. It will be closed if no further activity occurs during the next 7 days. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
I've followed https://github.com/sameersbn/docker-gitlab/blob/master/docs/container_registry.md to the letter, and I've got the self signed certs in place.
My runner has no problem in pushing an image to the registry:
However, the gitlab instance seems to have an issue with the cert CA, more specifically when trying to connect from the gitlab docker container to the registry container.
This is evident here when the dashboard is loaded and I try to view the "Container registry" page for a project:
Running some tests:
$ docker exec -ti docker-gitlab-gitlab-1 /bin/bash
root@66b63025e473:/home/git/gitlab# curl -v https://registry.gitlab.intranet:5000
# snip...
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: registry.gitlab.intranet:5000
> User-Agent: curl/7.68.0
> Accept: */*
From the host, as I've added the CA to the Debian host:
$ openssl s_client -cert /srv/docker-gitlab/certs/cert.pem \
-key /srv/docker-gitlab/certs/cert_key.pem \
-CAfile /srv/docker-gitlab/certs/ca_bundle.pem \
-connect registry.gitlab.intranet:5000 | grep "Verification"
# snip...
Verification: OK
Figured it out. The registry is hosted at port 80. Place nginx and proxy TLS across. Easy peasy, took me hours to get it to work!