能否为不安全的 docker 注册表提供 CA 签名证书,以便客户端自动信任它?
Can an insecure docker registry be given a CA signed certificate so that clients automatically trust it?
目前,我已经通过以下方式设置了注册表:
docker run -d \
-p 10.0.1.4:443:5000 \
--name registry \
-v `pwd`/certs/:/certs \
-v `pwd`/registry:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/certificate.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/private.key \
registry:latest
使用Docker版本17.06.2-ce,构建cec0b72
我已经从 Let's Encrypt 获得了我的 certificate.crt、private.key 和 ca_bundle.crt。在 nginx 服务器上使用这些证书时,我已经能够建立 https 连接,而不必明确信任客户端上的证书 machine/browser.
是否可以使用 docker 注册表设置用户体验,类似于通过 https 访问的 CA 认证网站,其中 browser/machine 信任根 CA 和链上的那些,包括我的证书?
注:
我当然可以按照本教程 https://docs.docker.com/registry/insecure/#use-self-signed-certificates 中所述在客户端 docker 文件中指定证书。但是,这不是满足我需求的解决方案。
curl -v https://docks.behar.cloud/v2/ 的输出:
* Trying 10.0.1.4...
* TCP_NODELAY set
* Connected to docks.behar.cloud (10.0.1.4) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: docks.behar.cloud
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> GET /v2/ HTTP/1.1
> Host: docks.behar.cloud
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 2
< Content-Type: application/json; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
< Date: Sun, 10 Sep 2017 23:05:01 GMT
<
* Connection #0 to host docks.behar.cloud left intact
Short answer: Yes.
My issue was caused by my os not having a build in trust of the root certificates from which my SSL certificate was signed by. This is likely due to the age of my os. See the answer from Matt for more information.
Docker 通常会使用 OS 提供的 CA 捆绑包,因此由受信任的根签署的证书无需额外配置即可工作。
Let's Encrypt 证书 cross signed by an IdentTrust root certificate (DST Root CA X3) so most CA bundles should already trust their certificates. The Lets Encrypt root cert (ISRG Root X1) 也已分发,但由于更新较新,因此不会广泛传播。
Docker 1.13+ 将使用主机系统 CA 捆绑包来验证证书。 Prior to 1.13 this may not happen if you have installed a custom root cert。因此,如果您在没有任何 TLS 警告的情况下使用 curl,那么 docker 命令也应该可以正常工作。
让 DTR 识别 certificates you need to edit the configuration file so that you specify your certs correctly. DTR accepts and has special parameters for LetsEncrypt Certs. They also have specific requirements for them. You will need to make a configuration file 并挂载适当的目录,这样就不会有 insecure-registry 错误和无法识别的证书的进一步问题。
...
http:
addr: localhost:5000
prefix: /my/nested/registry/
host: https://myregistryaddress.org:5000
secret: asecretforlocaldevelopment
relativeurls: false
tls:
certificate: /path/to/x509/public
key: /path/to/x509/private
clientcas:
- /path/to/ca.pem
- /path/to/another/ca.pem
letsencrypt:
cachefile: /path/to/cache-file
email: emailused@letsencrypt.com
...
目前,我已经通过以下方式设置了注册表:
docker run -d \
-p 10.0.1.4:443:5000 \
--name registry \
-v `pwd`/certs/:/certs \
-v `pwd`/registry:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/certificate.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/private.key \
registry:latest
使用Docker版本17.06.2-ce,构建cec0b72
我已经从 Let's Encrypt 获得了我的 certificate.crt、private.key 和 ca_bundle.crt。在 nginx 服务器上使用这些证书时,我已经能够建立 https 连接,而不必明确信任客户端上的证书 machine/browser.
是否可以使用 docker 注册表设置用户体验,类似于通过 https 访问的 CA 认证网站,其中 browser/machine 信任根 CA 和链上的那些,包括我的证书?
注:
我当然可以按照本教程 https://docs.docker.com/registry/insecure/#use-self-signed-certificates 中所述在客户端 docker 文件中指定证书。但是,这不是满足我需求的解决方案。
curl -v https://docks.behar.cloud/v2/ 的输出:
* Trying 10.0.1.4...
* TCP_NODELAY set
* Connected to docks.behar.cloud (10.0.1.4) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: docks.behar.cloud
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> GET /v2/ HTTP/1.1
> Host: docks.behar.cloud
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 2
< Content-Type: application/json; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
< Date: Sun, 10 Sep 2017 23:05:01 GMT
<
* Connection #0 to host docks.behar.cloud left intact
Short answer: Yes. My issue was caused by my os not having a build in trust of the root certificates from which my SSL certificate was signed by. This is likely due to the age of my os. See the answer from Matt for more information.
Docker 通常会使用 OS 提供的 CA 捆绑包,因此由受信任的根签署的证书无需额外配置即可工作。
Let's Encrypt 证书 cross signed by an IdentTrust root certificate (DST Root CA X3) so most CA bundles should already trust their certificates. The Lets Encrypt root cert (ISRG Root X1) 也已分发,但由于更新较新,因此不会广泛传播。
Docker 1.13+ 将使用主机系统 CA 捆绑包来验证证书。 Prior to 1.13 this may not happen if you have installed a custom root cert。因此,如果您在没有任何 TLS 警告的情况下使用 curl,那么 docker 命令也应该可以正常工作。
让 DTR 识别 certificates you need to edit the configuration file so that you specify your certs correctly. DTR accepts and has special parameters for LetsEncrypt Certs. They also have specific requirements for them. You will need to make a configuration file 并挂载适当的目录,这样就不会有 insecure-registry 错误和无法识别的证书的进一步问题。
...
http:
addr: localhost:5000
prefix: /my/nested/registry/
host: https://myregistryaddress.org:5000
secret: asecretforlocaldevelopment
relativeurls: false
tls:
certificate: /path/to/x509/public
key: /path/to/x509/private
clientcas:
- /path/to/ca.pem
- /path/to/another/ca.pem
letsencrypt:
cachefile: /path/to/cache-file
email: emailused@letsencrypt.com
...