如何使用 Apache 和 CA 证书配置 Docker Registry V2?
How do I Configure a Docker Registry V2 with Apache and a CA certificate?
我已经在 google 搜索中阅读了此处和外部的所有参考资料,但无法使用 CA 签名证书访问我的注册表。这是我拥有的:
Apache 代理(已尝试各种配置,none 其中对 docker 有任何影响):
listen dockerrepo.xxxxx.xxxxx.xxxxx.com:5000 https
ServerName dockerrepo.xxxxx.xxxxx.xxxxx.com
SSLEngine on
SSLCertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt
SSLCACertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt
SSLCertificateKeyFile /etc/httpd/certs/DockerRepoCAKeyCert.crt
SSLCipherSuite AES128-SHA,AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384
SSLProtocol all -SSLv3 -SSLv2 -TLSv1
Header always set "Docker-Distribution-Api-Version" "registry/2.0"
Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost on
ProxyPass /v2 http://127.0.0.1:5000/v2
ProxyPassReverse /v2 http://127.0.0.1:5000/v2
SSLEngine on
SSLCertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt
SSLCACertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt
SSLCertificateKeyFile /etc/httpd/certs/DockerRepoCAKeyCert.crt
SSLCipherSuite AES128-SHA,AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384
SSLProtocol all -SSLv3 -SSLv2 -TLSv1
Header always set "Docker-Distribution-Api-Version" "registry/2.0"
Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost on
ProxyPass /v2 http://127.0.0.1:5000/v2
ProxyPassReverse /v2 http://127.0.0.1:5000/v2
我启动注册表:
prod=registry
ver=2.1.1
docker load --input /home/docker/docker_${prod}-${ver}.tar
docker run -d --privileged=true -e GUNICORN_OPTS="[--preload]" -p 127.0.0.1:5000:5000 --restart=always -v /home/docker/certs:/ce
rts -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/DockerRepoCACert.crt -e REGISTRY_HTTP_TLS_KEY=/certs/client-private-key-nopassphrase
.pem -v /home/docker/prodRepo/data:/tmp/registry-dev --name docker-registry ${prod}:${ver}
注册表和 Apache 启动正常。当我推动时,我得到这个:
[root@dockerrepo dockerrepo:5000]# docker push dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry:2.1.1
The push refers to a repository [dockerrepo.internal.acp.arris.com:5000/registry] (len: 1)
unable to ping registry endpoint https://dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/v0/
v2 ping attempt failed with error: Get https: //dockerrepo.xxxxx.xxxxx.xxxx.com:5000/v2/: x509: certificate signed by
unknown authority
v1 ping attempt failed with error: Get https: //dockerrepo.xxxxx.xxxxxx.xxxxx.com:5000/v1/_ping: x509: certificate signed by unknown authority
我试过将域、intermediate/sub 和根证书组合成所有组合,但我似乎无法让它发挥作用。我怀疑我在做一些愚蠢的事情,但我看不到什么。感谢任何帮助。
检查后,我意识到我没有将我的证书添加到 CA 信任中。这样做之后,我现在得到这个错误:
[root@dockerrepo anchors]# docker push dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry:2.1.1
The push refers to a repository [dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry] (len: 1)
1e847b14150e: Buffering to Disk
Received unexpected HTTP status: 502 Proxy Error
您确定CA证书在主机的以下目录中吗?
/etc/docker/certs.d/<registry-host>:<registry-port>/
我已经在 google 搜索中阅读了此处和外部的所有参考资料,但无法使用 CA 签名证书访问我的注册表。这是我拥有的:
Apache 代理(已尝试各种配置,none 其中对 docker 有任何影响):
listen dockerrepo.xxxxx.xxxxx.xxxxx.com:5000 https ServerName dockerrepo.xxxxx.xxxxx.xxxxx.com
SSLEngine on SSLCertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCACertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCertificateKeyFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCipherSuite AES128-SHA,AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384 SSLProtocol all -SSLv3 -SSLv2 -TLSv1
Header always set "Docker-Distribution-Api-Version" "registry/2.0" Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0" RequestHeader set X-Forwarded-Proto "https" ProxyPreserveHost on ProxyPass /v2 http://127.0.0.1:5000/v2 ProxyPassReverse /v2 http://127.0.0.1:5000/v2SSLEngine on SSLCertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCACertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCertificateKeyFile /etc/httpd/certs/DockerRepoCAKeyCert.crt SSLCipherSuite AES128-SHA,AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384 SSLProtocol all -SSLv3 -SSLv2 -TLSv1
Header always set "Docker-Distribution-Api-Version" "registry/2.0" Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0" RequestHeader set X-Forwarded-Proto "https" ProxyPreserveHost on ProxyPass /v2 http://127.0.0.1:5000/v2 ProxyPassReverse /v2 http://127.0.0.1:5000/v2
我启动注册表:
prod=registry ver=2.1.1 docker load --input /home/docker/docker_${prod}-${ver}.tar docker run -d --privileged=true -e GUNICORN_OPTS="[--preload]" -p 127.0.0.1:5000:5000 --restart=always -v /home/docker/certs:/ce rts -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/DockerRepoCACert.crt -e REGISTRY_HTTP_TLS_KEY=/certs/client-private-key-nopassphrase .pem -v /home/docker/prodRepo/data:/tmp/registry-dev --name docker-registry ${prod}:${ver}
注册表和 Apache 启动正常。当我推动时,我得到这个:
[root@dockerrepo dockerrepo:5000]# docker push dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry:2.1.1
The push refers to a repository [dockerrepo.internal.acp.arris.com:5000/registry] (len: 1)
unable to ping registry endpoint https://dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/v0/
v2 ping attempt failed with error: Get https: //dockerrepo.xxxxx.xxxxx.xxxx.com:5000/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https: //dockerrepo.xxxxx.xxxxxx.xxxxx.com:5000/v1/_ping: x509: certificate signed by unknown authority
我试过将域、intermediate/sub 和根证书组合成所有组合,但我似乎无法让它发挥作用。我怀疑我在做一些愚蠢的事情,但我看不到什么。感谢任何帮助。
检查后,我意识到我没有将我的证书添加到 CA 信任中。这样做之后,我现在得到这个错误:
[root@dockerrepo anchors]# docker push dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry:2.1.1
The push refers to a repository [dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry] (len: 1)
1e847b14150e: Buffering to Disk
Received unexpected HTTP status: 502 Proxy Error
您确定CA证书在主机的以下目录中吗?
/etc/docker/certs.d/<registry-host>:<registry-port>/