如何使用Apache和CA证书配置Docker Registry V2?

时间:2016-01-26 19:13:10

标签: apache docker certificate docker-registry

我已经在谷歌搜索中读取了所有引用,并且无法使用CA签名证书访问我的注册表。这就是我所拥有的:

Apache代理(尝试了各种配置,其中没有一个对docker有任何影响):

  

listen dockerrepo.xxxxx.xxxxx.xxxxx.com:5000 https   ServerName dockerrepo.xxxxx.xxxxx.xxxxx.com

     

      SSLEngine on       SSLCertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt       SSLCACertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt       SSLCertificateKeyFile /etc/httpd/certs/DockerRepoCAKeyCert.crt       SSLCipherSuite AES128-SHA,AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384       SSLProtocol all -SSLv3 -SSLv2 -TLSv1 

Header always set "Docker-Distribution-Api-Version" "registry/2.0"
Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"

ProxyPreserveHost on
ProxyPass   /v2 http://127.0.0.1:5000/v2
ProxyPassReverse /v2  http://127.0.0.1:5000/v2
     

     

      SSLEngine on       SSLCertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt       SSLCACertificateFile /etc/httpd/certs/DockerRepoCAKeyCert.crt       SSLCertificateKeyFile /etc/httpd/certs/DockerRepoCAKeyCert.crt       SSLCipherSuite AES128-SHA,AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384       SSLProtocol all -SSLv3 -SSLv2 -TLSv1 

Header always set "Docker-Distribution-Api-Version" "registry/2.0"
Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"

ProxyPreserveHost on
ProxyPass   /v2 http://127.0.0.1:5000/v2
ProxyPassReverse /v2  http://127.0.0.1:5000/v2
     

我启动了注册表:

  

= PROD注册表   版本2.1.1 =   docker load --input /home/docker/docker_${prod}-${ver}.tar   docker run -d --privileged = true -e GUNICORN_OPTS =" [ - preload]" -p 127.0.0.1:5000:5000 --restart = always -v / home / docker / certs:/ ce   rts -e REGISTRY_HTTP_TLS_CERTIFICATE = / certs / DockerRepoCACert.crt -e REGISTRY_HTTP_TLS_KEY = / certs / client-private-key-nopassphrase   .pem -v / home / docker / prodRepo / data:/ tmp / registry-dev --name docker-registry $ {prod}:$ {ver}

注册表和apache很好。当我推动时,我得到了这个:

  

[root @ dockerrepo dockerrepo:5000] #docker push dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry:2.1.1

     

推送指的是存储库[dockerrepo.internal.acp.arris.com:5000/registry](len:1)

     

无法ping注册表端点https://dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/v0/

     

v2 ping尝试失败,错误:获取https://dockerrepo.xxxxx.xxxxx.xxxx.com:5000/v2/:x509:证书签名   未知的权威

     

v1 ping尝试失败,错误:获取https://dockerrepo.xxxxx.xxxxxx.xxxxx.com:5000/v1/_ping:x509:由未知权限签署的证书

我尝试在所有组合中结合域名,中间/子证书和根证书,但我似乎无法使其发挥作用。我怀疑我做的事情很傻,但我看不清楚。任何帮助表示赞赏。

检查后,我意识到我没有将我的证书添加到CA信任。执行此操作后,我现在收到此错误:

  

[root @ dockerrepo anchors] #docker push dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry:2.1.1

     

推送指的是存储库[dockerrepo.xxxxx.xxxxx.xxxxx.com:5000/registry](len:1)

     

1e847b14150e:缓冲到磁盘

     

收到意外的HTTP状态:502代理错误

1 个答案:

答案 0 :(得分:0)

您确定CA证书位于主机上的以下目录中吗?

   /etc/docker/certs.d/<registry-host>:<registry-port>/
相关问题
最新问题