distribution: Configuring a private registry: Let's Encrypt doesn't work
I’m trying to configure a private registry to use Let’s Encrypt to automatically obtain a browser-trusted certificate using the REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE and REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL environment variables.
When I run docker login mydomain.com:5000 and enter my username and password I get
Error response from daemon: Get https://mydomain.com:5000/v1/users/: remote error: internal error
The registry container logs the following:
registry_1 | 2016/08/15 11:38:51 [INFO][mydomain.com] acme: Obtaining bundled SAN certificate
registry_1 | 2016/08/15 11:38:51 [INFO][mydomain.com] acme: Could not find solver for: http-01
registry_1 | 2016/08/15 11:38:51 [INFO][mydomain.com] acme: Could not find solver for: dns-01
registry_1 | 2016/08/15 11:38:51 [INFO][mydomain.com] acme: Trying to solve TLS-SNI-01
registry_1 | 2016/08/15 11:38:53 http: TLS handshake error from <my-client-IP>:58430: map[mydomain.com:acme: Error 400 - urn:acme:error:connection - Failed to connect to <my-registry-IP>:443 for TLS-SNI-01 challenge
registry_1 | Error Detail:
registry_1 | Validation for mydomain.com:443
registry_1 | Resolved to:
registry_1 | <my-registry-IP>
registry_1 | Used: <my-registry-IP>
registry_1 |
registry_1 | ]
registry_1 | 2016/08/15 11:38:53 http: TLS handshake error from <my-client-IP>:58432: map[mydomain.com:acme: Error 400 - urn:acme:error:connection - Failed to connect to <my-registry-IP>:443 for TLS-SNI-01 challenge
registry_1 | Error Detail:
registry_1 | Validation for mydomain.com:443
registry_1 | Resolved to:
registry_1 | <my-registry-IP>
registry_1 | Used: <my-registry-IP>
registry_1 |
registry_1 | ]
I use the following docker-compose.yml to run the registry:
{
"version": "2",
"services": {
"registry": {
"image": "registry",
"volumes": [
"./data/:/var/lib/registry/",
"./letsencrypt/cachefile:/letsencrypt/cachefile",
"./auth/:/auth/"
],
"ports": [
"5000:5000"
],
"restart": "unless-stopped",
"environment": {
"REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE": "/letsencrypt/cachefile",
"REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL": "my@email.com",
"REGISTRY_AUTH": "htpasswd",
"REGISTRY_AUTH_HTPASSWD_PATH": "/auth/htpasswd",
"REGISTRY_AUTH_HTPASSWD_REALM": "Registry Realm"
}
}
}
}
Here is the info about my system:
$ docker version
Client:
Version: 1.12.0
API version: 1.24
Go version: go1.6.3
Git commit: 8eab29e
Built: Thu Jul 28 22:00:36 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.0
API version: 1.24
Go version: go1.6.3
Git commit: 8eab29e
Built: Thu Jul 28 22:00:36 2016
OS/Arch: linux/amd64
$ docker info
Containers: 20
Running: 8
Paused: 0
Stopped: 12
Images: 19
Server Version: 1.12.0
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 178
Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge null host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor
Kernel Version: 3.13.0-91-generic
Operating System: Ubuntu 14.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.955 GiB
Name: myserver
ID: 5EAG:WCZK:YQM4:UEMS:IHOS:G2SZ:2RR5:BOIP:4UN2:EQZP:GZ5S:33ZH
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
$ docker exec dockerregistry_registry_1 registry --version
registry github.com/docker/distribution v2.5.0
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 15 (1 by maintainers)
If you came here from Google after January 2018, then letsencrypt support is completely broken. letsencrypt has disabled the only challenge that
registrysupports. See #2545.Created https://github.com/docker/distribution/pull/1940, no need to keep this open