我有一个远程Docker注册表设置。它安装了一个go-daddy SSL证书。
如果我卷曲它,我会收到'未知权限'错误:
curl https://example.com:5000/v2/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
...
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
然后我使用'不安全'卷曲:
curl -k https://example.com:5000/v2
我得到了
{} //which I guess is because there is nothing in the registry?
要检查,我卷曲了一个不存在的端点:
curl -k https://example.com:5000/moo
404 page not found //which is positive, as it means the -k flag is suppressing the 'unknown authority' correctly
所以,现在我知道可以通过curl连接到注册表我尝试使用Docker客户端来推送图像:
docker push example.com:5000/my-image
The push refers to a repository [example.com:5000/my-image]
unable to ping registry endpoint https://example.com:5000/v0/
v2 ping attempt failed with error: Get https://example.com:5000/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://example.com:5000/v1/_ping: x509: certificate signed by unknown authority
因此,我尝试通过向DOCKER_OPTS添加'insecure-registry'来解决错误(如here所述):
DOCKER_OPTS =“ - insecure-registry example.com:5000”
[restart docker daemon]
它不起作用。我得到了同样的“未知权威”警告。
首先,为什么Go Daddy的证书不受信任?我在nginx服务器上进行了设置,并且它与浏览器上的“绿色栏”一起工作正常。
其次,如何让'insecure-registry'与Docker一起使用?感谢
答案 0 :(得分:0)
好的,我深究了这一点。
原来我不需要修改/ etc / default / docker:
DOCKER_OPTS="--insecure-registry example.com:5000"
问题是我在注册表中安装的Go-Daddy证书也需要具有中间证书。我收到了Go-Daddy的以下信息:
domain.crt
some-bundle.crt
你需要
cat bundle.crt >> domain.crt
以便证书链完整。然后一切正常