X509:使用 docker 从远程计算机登录时由未知权限签署的证书

X509: certfificate signed by unknown authority when using docker login from a remote machine

我正在尝试访问私有 nexus 存储库。使用 docker 从同一网络上的远程计算机登录,尽管我已按照 docker 文档中的说明进行操作,但我仍然获得 x509: 未知授权机构签名的证书 错误, 我在 centOs 8 机器上,有 nexus OSS 3.29.2-02,我已经根据以下文档配置了 repo Configuring SSL 我已经使用 java keytool 创建了自签名证书,当我从同一台机器上的浏览器和远程机器上的 /app/sonatype-work/nexus3/log/nexus.log 中访问它时,它可以工作 日志文件没有错误。 我已经将证书 .cer 复制到 /etc/docker/certs.d/domain:port/ 位置然后我也将它复制到 /etc/pki/ca-trust/source/anchors/ 和 运行 sudo update-ca-trust 根据 docker 文档: docker insecure registry 当我从远程机器 keytool -printcert -sslserver domain:port -v 打印证书时。 当我从远程机器上获取 wget 时,它可以正常工作,并且证书已成功验证并下载了数据。 我已经检查了很多主题,但所有主题都在谈论将证书放在我已经完成的上述位置。 提前致谢。

--------------------更新-------------------- ----

[mehdilapin@localhost ~]$ wget https://mycustomregistry.com:7575
--2021-04-11 14:53:59--  https://mycustomregistry.com:7575/
Auflösen des Hostnamens mycustomregistry.com (mycustomregistry.com)… 192.168.1.9
Verbindungsaufbau zu mycustomregistry.com (mycustomregistry.com)|192.168.1.9|:7575 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: 8903 (8,7K) [text/html]
Wird in »index.html.2« gespeichert.

index.html.2                                         100%[=====================================================================================================================>]   8,69K  --.-KB/s    in 0s      

2021-04-11 14:53:59 (287 MB/s) - »index.html.2« gespeichert [8903/8903]

[mehdilapin@localhost ~]$ sudo keytool -printcert -sslserver mycustomregistry.com:4563/registry/api -v
Certificate #0
====================================
Eigentümer: CN=mycustomregistry.com, OU=organization Unit, O=organization, L=USA, ST=NewYork, C=US
Aussteller: CN=mycustomregistry.com, OU=organization Unit, O=organization, L=USA, ST=NewYork, C=US
Seriennummer: 68e917a2
Gültig von: Sun Apr 11 14:34:54 CET 2021 bis: Mon Apr 11 14:34:54 CET 2022
Zertifikatsfingerprints:
     SHA1: 05:95:71:99:93:D1:30:A0:D1:82:0C:73:61:47:69:F0:2A:A4:52:B3
     SHA256: EA:8A:0A:0C:C6:4B:BE:73:57:78:CC:DC:08:DE:92:8E:04:6F:B8:3E:8F:2A:71:C8:AD:5A:E7:19:BB:31:7C:AE
Signaturalgorithmusname: SHA256withRSA
Public Key-Algorithmus von Subject: 2048-Bit-RSA-Schlüssel
Version: 3

Erweiterungen: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EF C5 91 38 62 ED 54 12   4E AA 9C 0F C6 73 F2 0C  ...8b.T.N....s..
0010: 83 BF CA 5E                                        ...^
]
]

[mehdilapin@localhost ~]$ sudo keytool -printcert -file /etc/docker/certs.d/mycustomregistry.com\:4563/ca-certificate.cer 
Eigentümer: CN=mycustomregistry.com, OU=organization Unit, O=organization, L=USA, ST=NewYork, C=US
Aussteller: CN=mycustomregistry.com, OU=organization Unit, O=organization, L=USA, ST=NewYork, C=US
Seriennummer: 68e917a2
Gültig von: Sun Apr 11 14:34:54 CET 2021 bis: Mon Apr 11 14:34:54 CET 2022
Zertifikatsfingerprints:
     SHA1: 05:95:71:99:93:D1:30:A0:D1:82:0C:73:61:47:69:F0:2A:A4:52:B3
     SHA256: EA:8A:0A:0C:C6:4B:BE:73:57:78:CC:DC:08:DE:92:8E:04:6F:B8:3E:8F:2A:71:C8:AD:5A:E7:19:BB:31:7C:AE
Signaturalgorithmusname: SHA256withRSA
Public Key-Algorithmus von Subject: 2048-Bit-RSA-Schlüssel
Version: 3

Erweiterungen: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EF C5 91 38 62 ED 54 12   4E AA 9C 0F C6 73 F2 0C  ...8b.T.N....s..
0010: 83 BF CA 5E                                        ...^
]
]


[mehdilapin@localhost ~]$ sudo keytool -printcert -file /etc/pki/ca-trust/source/anchors/ca-certificate.cer -v
Eigentümer: CN=mycustomregistry.com, OU=organization Unit, O=organization, L=USA, ST=NewYork, C=US
Aussteller: CN=mycustomregistry.com, OU=organization Unit, O=organization, L=USA, ST=NewYork, C=US
Seriennummer: 68e917a2
Gültig von: Sun Apr 11 14:34:54 CET 2021 bis: Mon Apr 11 14:34:54 CET 2022
Zertifikatsfingerprints:
     SHA1: 05:95:71:99:93:D1:30:A0:D1:82:0C:73:61:47:69:F0:2A:A4:52:B3
     SHA256: EA:8A:0A:0C:C6:4B:BE:73:57:78:CC:DC:08:DE:92:8E:04:6F:B8:3E:8F:2A:71:C8:AD:5A:E7:19:BB:31:7C:AE
Signaturalgorithmusname: SHA256withRSA
Public Key-Algorithmus von Subject: 2048-Bit-RSA-Schlüssel
Version: 3

Erweiterungen: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EF C5 91 38 62 ED 54 12   4E AA 9C 0F C6 73 F2 0C  ...8b.T.N....s..
0010: 83 BF CA 5E                                        ...^
]
]

/etc/docker/certs.d/ 中的证书需要采用 x509 格式并以 crt 扩展名命名(实际上可以使用同一文件夹配置客户端 tls 设置)。所以重命名:

/etc/docker/certs.d/mycustomregistry.com\:4563/ca-certificate.cer

到 x509/pem 格式的证书,名称为:

/etc/docker/certs.d/mycustomregistry.com\:4563/ca-certificate.crt

这并不能解释为什么 OS 证书不起作用。使用 wget 和 curl 检查时,您应该能够访问 v2 api,即使它给您一个权限被拒绝的错误:

curl https://mycustomregistry.com:4563/v2/