moby: Docker Registry SSL CA cert failing to be read

Hi there,

Background

A registry running behind a reverse proxy (Apache 2.2). The proxy is responsible for terminating SSL on port 443 using TLS. The SSL certificates in use are self-signed and we authenticate with client certificates.

Problem

In Docker 1.3.0, docker accepted our self signed certificates as long as they had been setup in /etc/docker/certs.d/registry.host/{client.cert, client.key, registry.host.crt}.

In Docker 1.3.1, the behaviour has changed to look for /etc/docker/certs.d/registry.host/ca.crt (which would be fine, if it actually read the file).

as far as I can conclude, the ca certificate isn’t read. I can curl my registry using the client certificates and the CA certificate fine.

Instead of a connecting, I’m told to use --insecure-registry or put a CA cert in the “correct” place.

About this issue

  • Original URL
  • State: closed
  • Created 10 years ago
  • Comments: 75 (29 by maintainers)

Most upvoted comments

@zekizeki @sthulb Can you provide daemon log output?

FYI, If I want to pull myregistry:5000/busybox, I have to put the cert in /etc/docker/certs.d/myregistry:5000/ca.crt (note the :5000).

I tested this many times, I’m not sure what doesn’t work for you guys 😦

+7
tiborvass on Nov 28, 2014

Why not just use the system’s CA certificate store like curl, wget, and almost everything else does? It seems that docker doesn’t do this, but wouldn’t that be the ‘correct’ solution? It’s a waste of time having to copy a CA certificate all over the place to make things work.

+3
nordicmachine on Dec 1, 2014

I also ran into this problem.

Don’t forget to chmod your CA certificate correctly. At least it worked for me. Would be awesome if there where any error for that. 🌹

chmod 400 /etc/docker/certs.d/myregistry:5000/ca.crt
+2
tinganho on Mar 10, 2016
Read more comments on GitHub
← moby: Docker push fails with most builds on my home machine
moby: docker restart failed after machine reboot →