How do I Configure a Docker Registry V2 with Apache and a CA certificate?

0
votes

I have read all the references here and out on a google search and have been unable to get my registry accessible using a CA signed certificate. Here is what I have:

Apache proxy (have tried various configs, none of which have any effect to docker):

listen dockerrepo.xxxxx.xxxxx.xxxxx.com:5000 https ServerName dockerrepo.xxxxx.xxxxx.xxxxx.com

SSLEngine on SSLCertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCACertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCertificateKeyFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCipherSuite AES128-SHA,AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384 SSLProtocol all -SSLv3 -SSLv2 -TLSv1

Header always set "Docker-Distribution-Api-Version" "registry/2.0"
Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"

ProxyPreserveHost on
ProxyPass   /v2 http://127.0.0.1:5000/v2
ProxyPassReverse /v2  http://127.0.0.1:5000/v2

SSLEngine on SSLCertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCACertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCertificateKeyFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCipherSuite AES128-SHA,AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384 SSLProtocol all -SSLv3 -SSLv2 -TLSv1

Header always set "Docker-Distribution-Api-Version" "registry/2.0"
Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"

ProxyPreserveHost on
ProxyPass   /v2 http://127.0.0.1:5000/v2
ProxyPassReverse /v2  http://127.0.0.1:5000/v2

I start the registry:

prod=registry ver=2.1.1 docker load --input /home/docker/docker_${prod}-${ver}.tar docker run -d --privileged=true -e GUNICORN_OPTS="[--preload]" -p 127.0.0.1:5000:5000 --restart=always -v /home/docker/certs:/ce rts -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/DockerRepoCACert.crt -e REGISTRY_HTTP_TLS_KEY=/certs/client-private-key-nopassphrase .pem -v /home/docker/prodRepo/data:/tmp/registry-dev --name docker-registry ${prod}:${ver}

Registry and apache start fine. when I push I get this:

[root@dockerrepo dockerrepo:5000]# docker push dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry:2.1.1

The push refers to a repository [dockerrepo.internal.acp.arris.com:5000/registry] (len: 1)

unable to ping registry endpoint https://dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/v0/

v2 ping attempt failed with error: Get https: //dockerrepo.xxxxx.xxxxx.xxxx.com:5000/v2/: x509: certificate signed by unknown authority

v1 ping attempt failed with error: Get https: //dockerrepo.xxxxx.xxxxxx.xxxxx.com:5000/v1/_ping: x509: certificate signed by unknown authority

I have tried combining the domain, intermediate/sub and root certs in all combinations, but I can't seem to get this to work. I suspect I am doing something silly, but I can't see what. Any help is appreciated.

After checking, I realized I had not added my cert to the CA trust. After doing this, I now get this error:

[root@dockerrepo anchors]# docker push dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry:2.1.1

The push refers to a repository [dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry] (len: 1)

1e847b14150e: Buffering to Disk

Received unexpected HTTP status: 502 Proxy Error

1
apachedockercertificatedocker-registry

1 Answers

0
votes

Did you make sure that the CA certificate is in the following directory on the host?

   /etc/docker/certs.d/<registry-host>:<registry-port>/