All geek questions in one place

Configuring the Docker Registry with a Letsencrypt Certificate

I am creating a domain registry as described here:

https://docs.docker.com/registry/deploying/

I generated a certificate for docker.mydomain.com and launched docker using my command on my server:

docker run -d -p 5000:5000 --restart=always --name registry \ -v `pwd`/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2

I started the docker and pointed to the certificates obtained using letencrypt ( https://letsencrypt.org/ ).

Now, when I go to https://docker.mydomain.com/10000/v2/ , I get a page with "{}" with a green lock (successful request for a secure page).

But when I try to make docker login docker.mydomain.com:5000 from another server, I see an error in the registry docker:

  TLS handshake error from xxx.xxx.xxx.xxx:51773: remote error: bad certificate

I tried several different certificate configuration options and got errors like:

 remote error: unknown certificate authority

and

  tls: first record does not look like a TLS handshake

What am I missing?

+5
source share
1 answer

Dockers do not support SNI : https://github.com/docker/docker/issues/9969

Update: Docker should now support SNI.

This means that when connecting to your server during the tls transaction, the client docker does not indicate the domain name, therefore your server displays the default certificate.

The solution may be to change the default certificate of your server to one valid for the docker domain.

This site works only in browsers with SNI support.

To check if your (sub) domain works with clients that do not support SNI, you can use ssllabs.com/ssltest: if you DO NOT NEED to see the message "this site only works in SNI-enabled browsers", then it will work.

+4
source

Source: https://habr.com/ru/post/1240244/

More articles:


All Articles