distribution: letencrypt disabled tls-sni-01 challenge. registry image doesn't support fallback challenges.

This

docker run -d -p 443:5000 --name registry --restart=always \
 -v $(pwd)/var/lib/registry:/var/lib/registry \
 -v $(pwd)/auth:/auth \
 -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
 -e REGISTRY_HTTP_HOST=https://docker.example.com \
 -e REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE=/etc/docker/registry/letsencrypt.json \
 -e REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL=admin@example.com \
 -e REGISTRY_AUTH_HTPASSWD_REALM=example \
 -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
 registry:2

produces this (in the logs)

2018/03/10 22:29:15 [INFO] acme: Registering account for admin@example.com
time="2018-03-10T22:29:16Z" level=info msg="listening on [::]:5000, tls" go.version=go1.7.6 instance.id=46277ada-99d7-458e-aa24-7ef9b9009f86 version=v2.6.2
2018/03/10 22:29:44 [INFO][docker.example.com] acme: Obtaining bundled SAN certificate
2018/03/10 22:29:45 [INFO][docker.example.com] acme: Could not find solver for: dns-01
2018/03/10 22:29:45 [INFO][docker.example.com] acme: Could not find solver for: http-01
2018/03/10 22:29:45 http: TLS handshake error from 120.17.222.195:41255: map[docker.example.com:[docker.example.com] acme: Could not determine solvers]

This is caused by letsencrypt disabling the tls-sni-01 challenge which uses port 443. It falls back to the http-01 challenge which uses port 80, and the dns-01 challenge which uses port 53, but the registry accepts connections on only one port.

More information here: https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188.

Essentially, this means the bundled letsencrypt support is completely useless now. It should either be completely removed from registry or support http-01 needs to be added.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 23
  • Comments: 15 (3 by maintainers)

Most upvoted comments

any progress on this task?

+10
alexbadm on Jul 31, 2018

Yes, any progress please ?

+3
DiskoJordan on Aug 9, 2018

Thanks Jay, I am now manually doing the letsencrypt certificate generation and renewal. 🙈

+2
tamasgal on Nov 8, 2018

Awesome @ASHWINI-GUPTA! That should work too.

Just reporting back that since my original post, the Traefik container for front end has been working perfectly. No issues since set up as well.

+1
jaydrogers on Jan 3, 2019

I was able to get a stable workaround running by using Traefik as a reverse proxy. It handles all of my Let’s Encrypt SSL automatically for the “front end”. It then passes the web traffic to my registry that is running a self-signed certificate. Since I have both containers running on the same docker private network, that works great for me and the user does not get any SSL validation errors.

After getting that all set up, I realized that all registry users could push and pull images to the registry. Since that could be a huge security issue, I attempted to configure “Portus” to run along with my registry for managing access. After that attempt crashed and burned, I finally settled on cesanta/docker_auth which was not too bad to configure. This allows me to set roles and access permissions on a per user/device basis.

Using these methods, I now have a private docker registry that is automatically secured with Let’s Encrypt. Best of all, it is backed by Amazon S3 as well so I can destroy and re-create the container and not have to worry about losing any images.

Sorry for the lengthy post, but thought I would share my experiences incase it helped anyone else out. It sure did take a while to figure that all out 😀

+1
jaydrogers on Nov 8, 2018
Read more comments on GitHub
← distribution: Intermittent "connection reset by peer" while pushing image
distribution: Local images ID does not match registry manifest digest →