Comments (11)
NO_SSL_VERIFICATION=true
works for the moment
Thanks
from docker-registry-browser.
Nice 😃
from docker-registry-browser.
Hi Michael,
currently the app does not support to configure a custom CA. I'll flag this as a feature request.
There is one option to disable SSL certificate verification in general which you could use:
NO_SSL_VERIFICATION=true
I'll see when I can find some time to implement the CA option.
Best, Klaus
from docker-registry-browser.
@astrapi I've just published a new version including the CA_FILE
option which allows to point to a custom CA cert file.
Would be really awesome if you could give it a try :)
from docker-registry-browser.
Hello,
I use 1.3.4 version.
Unfortunately variable CA_FILE still doesn't work.
I set variable CA_FILE to my CA certificate file and I still got error: "Faraday::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):".
from docker-registry-browser.
Hi, I'll test it again.
from docker-registry-browser.
For me it is working fine when testing it locally.
SSL CA & Cert:
openssl genrsa -des3 -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=localhost" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 500 -sha256
Registry Config:
backend:
image: registry:2
environment:
- "REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/server.crt"
- "REGISTRY_HTTP_TLS_KEY=/ssl/server.key"
ports:
- "5000:5000"
volumes:
- "./ssl:/ssl"
Docker Registry Browser Config:
- CA_FILE=/ssl/ca.crt
- DOCKER_REGISTRY_URL=https://localhost:5000
Important is that the DOCKER_REGISTRY_URL
is using the same hostname as the certificate uses as CN
.
Otherwise I was also getting a error message.
from docker-registry-browser.
I still got error :(
I think the problem is that the authentication server (cesanta/docker-auth) and the registry are behind a nginx proxy.
My cert has SAN's.
My nginx configuration like below:
#ssl-test.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/certs/dh.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_certificate /etc/nginx/certs/docker-repo.k8s-test.in.crt;
ssl_certificate_key /etc/nginx/certs/docker-repo.k8s-test.in.key;
ssl_trusted_certificate /etc/nginx/certs/ca.crt;
repo.conf
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server {
listen 443 ssl http2;
server_name localhost;
# registry browser
location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $http_host;
proxy_pass http://localhost:8080;
}
# registry
location /v2/ {
client_max_body_size 0;
chunked_transfer_encoding on;
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://localhost:5000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
# auth server
location /auth {
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $http_host;
proxy_pass http://localhost:5001/auth;
}
}
My auth configuration:
server:
addr: :5001
token:
issuer: "K8S-TEST.IN"
expiration: 900
certificate: /certs/docker-repo.k8s-test.in.crt
key: /certs/docker-repo.k8s-test.in.key
users:
"test":
password: "$2y$05$puCBTBDY.RoIV4D66bPrduTKnmXLHPnc4sJCLFfmeFldOe5fGSLFW"
acl:
- match: { account: "test" }
actions: ["*"]
And registry config:
version: 0.1
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
host: https://192.168.30.120
secret: my-super-secret-key
headers:
X-Content-Type-Options: [nosniff]
auth:
token:
realm: https://192.168.30.120/auth
service: "Docker-Repo"
issuer: "K8S-TEST.IN"
rootcertbundle: /certs/docker-repo.k8s-test.in.crt
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
And errors:
, [2020-08-18T07:01:10.407941 #1] INFO -- : [87f13f99-1f0a-42f9-b8c8-9e67b818e6c8] Started GET "/" for 127.0.0.1 at 2020-08-18 07:01:10 +0000
I, [2020-08-18T07:01:10.408971 #1] INFO -- : [87f13f99-1f0a-42f9-b8c8-9e67b818e6c8] Processing by RepositoriesController#index as */*
I, [2020-08-18T07:01:10.461426 #1] INFO -- request: GET https://192.168.30.120/v2/_catalog?n=100
I, [2020-08-18T07:01:10.461509 #1] INFO -- request: User-Agent: "Faraday v1.0.1"
I, [2020-08-18T07:01:10.494214 #1] INFO -- request: GET https://192.168.30.120/auth?client_id=docker-registry-browser&offline_token=true&scope=registry%3Acatalog%3A%2A&service=Docker-Repo
I, [2020-08-18T07:01:10.494288 #1] INFO -- request: User-Agent: "Faraday v1.0.1"
Authorization: "Basic YnJvd3Nlcjpicm93c2Vy"
I, [2020-08-18T07:01:10.525022 #1] INFO -- : [87f13f99-1f0a-42f9-b8c8-9e67b818e6c8] Completed 500 Internal Server Error in 116ms (Allocations: 20540)
F, [2020-08-18T07:01:10.525806 #1] FATAL -- : [87f13f99-1f0a-42f9-b8c8-9e67b818e6c8]
[87f13f99-1f0a-42f9-b8c8-9e67b818e6c8] Faraday::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):
[87f13f99-1f0a-42f9-b8c8-9e67b818e6c8]
[87f13f99-1f0a-42f9-b8c8-9e67b818e6c8] app/services/obtain_authentication_token.rb:17:in `perform_request'
[87f13f99-1f0a-42f9-b8c8-9e67b818e6c8] app/services/obtain_authentication_token.rb:9:in `call'
[87f13f99-1f0a-42f9-b8c8-9e67b818e6c8] app/controllers/application_controller.rb:35:in `perform_token_authentication'
[87f13f99-1f0a-42f9-b8c8-9e67b818e6c8] app/controllers/application_controller.rb:22:in `client_error'
Looks like a problem with auth server.
From CLI wokrs ok.
from docker-registry-browser.
Thanks for all the details.
I just checked and the CA_FILE
option is not actually used when talking to the auth server.
Looks like I missed that when I did the implementation.
I'll push a change for that and then you could give it another try.
from docker-registry-browser.
@tickmanpl the change is now available in latest
docker-tag.
Could you please check if it is helping with your issue?
from docker-registry-browser.
I checked. Works flawlessly.
Many thanks.
from docker-registry-browser.
Related Issues (20)
- Authenticate User Access HOT 4
- add a more compact "skin"
- Web UI Login HOT 2
- read/write support by nginx
- Can't browse OCI images HOT 6
- cannot delete tags with cesanta/docker_auth HOT 6
- No Java Script Runtime in Container HOT 12
- ExecJS can't find a runtime HOT 23
- Document using the app in a subPath HOT 1
- Version sorting HOT 1
- This crashes on my server HOT 3
- Tag list cannot be configured to sort by `version` HOT 1
- add sort by push date HOT 1
- Cannot read *.key file in 1.6.0 docker image HOT 4
- Error with multi-platform images HOT 10
- Token based auth with Keycloak as IDP HOT 6
- Third page is not loaded HOT 4
- Error Displaying Tag Info HOT 1
- no reply to browser when using token authentication via keycloak HOT 8
- Feature request - Policy to remove Old image HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-registry-browser.