docker --insecure-registry flag not working as expected

14
votes

The instructions for private registries with self signed certs state when logging in:

FATA[0005] Error response from daemon: v1 ping attempt failed with error: Get https://registry:8443/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry registry:8443 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/registry:8443/ca.crt

I tried that but got another error about the IP not being in the subject. So I fixed that error and now get:

FATA[0006] Error response from daemon: Server Error: Post https://registry:8443/v1/users/: x509: certificate signed by unknown authority

Where registry is the IP of the registry.

I then placed "--insecure-registry registry:8443" in /etc/default/docker and restarted the daemon

I've verified it's taken the setting.

root 6865 1 0 12:47 ? 00:00:00 /usr/bin/docker -d --insecure-registry registry:8443

But docker login still produces this error:

FATA[0006] Error response from daemon: Server Error: Post https://registry:8443/v1/users/: x509: certificate signed by unknown authority

Does insecure-registry work differently than I thought and how do I get around it?

And yes, I need HTTPS. It's a private registry but on a public IP. Is the only way forward to create a proper DNS entry with a real cert?

5
docker
+1 for this question. Currently I don't need HTTPS (and --insecure-registry works well), but I will have to enable this feature at an early date. - Vitaly Isaev
And in the end I couldn't solve it as described. Instead, I added a DNS entry and a real cert and that fixed it for me. I'd still like to know how you deploy self signed though. - hookenz
if this guide won't help me, I guess I'll have to deploy my own Certificate Authority and configure my environment to trust them (probably will use FreeIPA for that purpose) - Vitaly Isaev

5 Answers

8
votes

Recommended Way Docker 17.xx +

There are a number of ways to configure the daemon flags and environment variables for your Docker daemon. The recommended way is to use the platform-independent daemon.json file, which is located in /etc/docker/ on Linux by default.

So, for configuring insecure registries, do the following:

  1. Set the following flag in the daemon.json file:

    {
    "insecure-registries": ["registry:8443"]
}

  2. Restart Docker 

     $ sudo systemctl restart docker

That's it!

6
votes

YES! I've found the problem!

You need to fix /etc/systemd/system/multi-user.target.wants/docker.service. Currently it doesn't take $OPTIONS into consideration when starting docker. So mine now looks like this:

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
#The line below was missing $OPTIONS at the end!!!
ExecStart=/usr/bin/docker -d -H fd:// $OPTIONS
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target

After that do the usual:

$ sudo systemctl daemon-reload 
$ sudo systemctl restart docker

and everything works now.

1
votes

Since I already upvoted this issue months ago, because I had the same problem, and now - hopefully - having a solution for it, I'd like the share with you the following paragraph I wrote for our private wiki...

Setup Private registries (with self-signed certificates)

In order to docker login to a private registry you have to distribute the certificate generated above to the Docker-nodes.

Download *.example.com wildcard cert and the intermediate cert for self-signed certs from haxx.se and restart the Docker daemon.

curl -k https://git.example.com/herzog/pub/raw/master/ssh/example.com.crt > /usr/local/share/ca-certificates/registry.example.com-ca.crt
curl http://curl.haxx.se/ca/cacert.pem > /usr/local/share/ca-certificates/cacert.pem
sudo update-ca-certificates
sudo service docker restart

Output example for CA update 

root@test1:~# sudo update-ca-certificates
Updating certificates in /etc/ssl/certs... 2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

Login to the private registry

docker login --username registry --email [email protected] https://registry.example.com/v1

Notice! The registry host specified with https://.../v1 should work for docker and docker-compose

and pull an image

docker pull registry.example.com/namespace/image:1.0.0
1
votes

The best and also most platform-independent way is to use the /etc/docker/daemon.json configuration file.

Behold:

cat > /etc/docker/daemon.json <<DOCKERCONFIG
{
  "insecure-registries": ["registry:8443"]
}
DOCKERCONFIG
1
votes

my solution was:

  1. Modify /etc/docker/daemon.json as is mention before

  2. Modify permissions to: /etc/docker/daemon.json with

    sudo chmod -R 777 /etc/docker/daemon.json