diff options
Diffstat (limited to 'content/devops/docker_private_registry.rst')
| -rw-r--r-- | content/devops/docker_private_registry.rst | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/content/devops/docker_private_registry.rst b/content/devops/docker_private_registry.rst new file mode 100644 index 0000000..ecfc828 --- /dev/null +++ b/content/devops/docker_private_registry.rst @@ -0,0 +1,55 @@ +Docker Private Registry and Self Signed Certificates +#################################################### + +:date: 2018-04-14 19:47 +0530 +:author: copyninja +:slug: docker-registry-selfsigned-cert +:tags: docker, container, openssl +:summary: Post describes additional steps that needs to be taken + while generating a self signed certificates for docker private + registry. + +I was recently experimenting with hosting a private registry on an internal LAN +network for publishing docker private images. I found out that *docker-pull* +works only with TLS secured registry. There is possible to run insecure registry +by editing *daemon.json* file but its better to use self-signed certificates +instead. + +Once I followed the step and started registry I tried to *docker-pull* and it +started complaining about certificate not having any valid names. But this same +certificate worked fine with browsers too, of course you need to add exception +but no other errors were encountered. + +`Documentation <https://docs.docker.com/registry/insecure/>`_ for Docker does +not speaks any specific settings needs to be done prior to generating a +self-signed certificate so I was bit confused at beginning.A bit of searching +showed up following `issue <https://github.com/docker/for-linux/issues/248>`_ +filed against docker and then later re-assigned against `*Golang* +<https://github.com/golang/go/issues/24293>`_ for its method of handling x509 +certificate. It appears that with valid *Subject Alternative Name* Go crypto +library ignores the *Common Name*. + +From thread on `Security Stack Exchange +<https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line>`_ +I found the command to create a self-signed certificate to contain self-signed +certificate. Command in excepted answer does not work until you add +*--extensions* option to it as mentioned in one of the comments. Full command is +as shown below. + +.. code-block:: shell + + openssl req -new -sha256 -key domain.key \ + -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" \ + -reqexts SAN -extensions SAN \ + -config \ + <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out domain.crt + + +You would need to replace values in *-subj* and under *[SAN]* extension. Benefit +of this command is you need not modify the */etc/ssl/openssl.conf* file. + +If you do not have a domain name for the registry and using IP address instead +consider replacing *[SAN]* section in above command to have *IP: <ip-address>* +instead of *DNS*. + +Happy hacking.! |