From b33f14f2bbec247fd5b76f92fd933cd19008e3c3 Mon Sep 17 00:00:00 2001 From: Vasudev Kamath Date: Sat, 14 Apr 2018 20:09:14 +0530 Subject: New post on using docker private registry with self-signed certs. --- content/devops/docker_private_registry.rst | 55 ++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 content/devops/docker_private_registry.rst (limited to 'content/devops/docker_private_registry.rst') diff --git a/content/devops/docker_private_registry.rst b/content/devops/docker_private_registry.rst new file mode 100644 index 0000000..ecfc828 --- /dev/null +++ b/content/devops/docker_private_registry.rst @@ -0,0 +1,55 @@ +Docker Private Registry and Self Signed Certificates +#################################################### + +:date: 2018-04-14 19:47 +0530 +:author: copyninja +:slug: docker-registry-selfsigned-cert +:tags: docker, container, openssl +:summary: Post describes additional steps that needs to be taken + while generating a self signed certificates for docker private + registry. + +I was recently experimenting with hosting a private registry on an internal LAN +network for publishing docker private images. I found out that *docker-pull* +works only with TLS secured registry. There is possible to run insecure registry +by editing *daemon.json* file but its better to use self-signed certificates +instead. + +Once I followed the step and started registry I tried to *docker-pull* and it +started complaining about certificate not having any valid names. But this same +certificate worked fine with browsers too, of course you need to add exception +but no other errors were encountered. + +`Documentation `_ for Docker does +not speaks any specific settings needs to be done prior to generating a +self-signed certificate so I was bit confused at beginning.A bit of searching +showed up following `issue `_ +filed against docker and then later re-assigned against `*Golang* +`_ for its method of handling x509 +certificate. It appears that with valid *Subject Alternative Name* Go crypto +library ignores the *Common Name*. + +From thread on `Security Stack Exchange +`_ +I found the command to create a self-signed certificate to contain self-signed +certificate. Command in excepted answer does not work until you add +*--extensions* option to it as mentioned in one of the comments. Full command is +as shown below. + +.. code-block:: shell + + openssl req -new -sha256 -key domain.key \ + -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" \ + -reqexts SAN -extensions SAN \ + -config \ + <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out domain.crt + + +You would need to replace values in *-subj* and under *[SAN]* extension. Benefit +of this command is you need not modify the */etc/ssl/openssl.conf* file. + +If you do not have a domain name for the registry and using IP address instead +consider replacing *[SAN]* section in above command to have *IP: * +instead of *DNS*. + +Happy hacking.! -- cgit v1.2.3