ssl - Can an insecure docker registry be given a CA signed certificate so that clients automatically trust it? -


currently, have set registry in following manner:

docker run -d \   -p 10.0.1.4:443:5000 \   --name registry \   -v `pwd`/certs/:/certs \   -v `pwd`/registry:/var/lib/registry \   -e registry_http_tls_certificate=/certs/certificate.crt \   -e registry_http_tls_key=/certs/private.key \   registry:latest 

using docker version 17.06.2-ce, build cec0b72

i have obtained certificate.crt, private.key, , ca_bundle.crt let's encrypt. , have been able establish https connections when using these certs on nginx server, without having explicitly trust certificates on client machine/browser.

is possible setup user experience docker registry similar of ca certified website being accessed via https, browser/machine trusts root ca , along chain, including certificates?

note:

i can of course specify certificate in clients docker files described in tutorial: https://docs.docker.com/registry/insecure/#use-self-signed-certificates . however, not adequate solution needs.

output of curl -v https://docks.behar.cloud/v2/:

*   trying 10.0.1.4... * tcp_nodelay set * connected docks.behar.cloud (10.0.1.4) port 443 (#0) * tls 1.2 connection using tls_ecdhe_rsa_with_aes_128_gcm_sha256 * server certificate: docks.behar.cloud * server certificate: let's encrypt authority x3 * server certificate: dst root ca x3 > /v2/ http/1.1 > host: docks.behar.cloud > user-agent: curl/7.54.0 > accept: */* >  < http/1.1 200 ok < content-length: 2 < content-type: application/json; charset=utf-8 < docker-distribution-api-version: registry/2.0 < x-content-type-options: nosniff < date: sun, 10 sep 2017 23:05:01 gmt <  * connection #0 host docks.behar.cloud left intact 

short answer: yes. issue caused os not having build in trust of root certificates ssl certificate signed by. due age of os. see answer matt more information.

docker use the os provided ca bundle, certificates signed trusted roots should work without config.

let's encrypt certificates cross signed identtrust root certificate (dst root ca x3) ca bundles should trust certificates. lets encrypt root cert (isrg root x1) distributed not widespread due being more recent.

docker 1.13+ use host systems ca bundle verify certificates. prior 1.13 may not happen if have installed custom root cert. if use curl without tls warning docker commands should work same.


Comments