Skip to content
This repository has been archived by the owner on Sep 12, 2018. It is now read-only.

Secured (TLS + Auth) private docker registry access (invalid registry endpoint) #1079

Open
jeusdi opened this issue Jul 6, 2016 · 0 comments

Comments

@jeusdi
Copy link

jeusdi commented Jul 6, 2016

Issue Report

I've created a private docker registry with TLS and authorization: I perform this container in order to start it:

 $ docker run -d -p 5000:5000 --restart=always --name registry \
       -v /root/docker-registry/auth:/auth \
       -e "REGISTRY_AUTH=htpasswd" \
       -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
       -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
       -v /root/docker-registry/certs:/certs \
       -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
       -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
       -v /root/docker-registry/data:/var/lib/registry \
       registry:2

Everything seems to be right:

 $ netstat -tupln | grep 5000
     tcp6       0      0 :::5000       :::*      LISTEN      3160/docker-proxy
  $ docker ps
     CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                          PORTS                    NAMES
     27e79f6a504c        registry:2          "/bin/registry serve "   About an hour ago   Restarting (2) 36 minutes ago   0.0.0.0:5000->5000/tcp   registry

So registry is running and listening on port 5000.

By other hand, I set up a coreOS instance and according to this documentation I've added a .docker/config.json with authentication on docker user home with this content:

{
    "https://x.x.x.x:5000/": {
            "auth": "xxxxxxxxxxxxxxx=",
            "email": "[email protected]"
    }
}

I've already added the certificate (ca.crt) in /etc/ssl/certs and in /etc/docker/certs.d/x.x.x.x:5000/.

From this CoreOS instance, I'm trying to perform that:

$ docker login https://x.x.x.x:5000
Username: xxx
Password:
Email: [email protected]

And it tells me:

Error response from daemon: invalid registry endpoint https://x.x.x.x:5000/v0/: unable to ping registry endpoint https://x.x.x.x:5000/v0/
v2 ping attempt failed with error: Get https://x.x.x.x:5000/v2/: EOF
v1 ping attempt failed with error: Get https://x.x.x.x:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry x.x.x.x:5000 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/x.x.x.x:5000/ca.crt

I've also tried to get the connection directly with openssl:

openssl s_client -connect x.x.x.x:5000

The output is:

```
CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

---
no peer certificate available

---
No client certificate CA names sent

---
SSL handshake has read 0 bytes and written 308 bytes

---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1467812448
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

---
```

CoreOS Version

NAME=CoreOS
ID=coreos
VERSION=1010.6.0
VERSION_ID=1010.6.0
BUILD_ID=2016-06-28-0910
PRETTY_NAME="CoreOS 1010.6.0 (MoreOS)"
ANSI_COLOR="1;32"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"

Environment

VM machine provided on VirtualBox by Vagrant.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant