ssl - Can an insecure docker registry be given a CA signed certificate so that clients automatically trust it? -


currently, have set registry in following manner: 

docker run -d \   -p 10.0.1.4:443:5000 \   --name registry \   -v `pwd`/certs/:/certs \   -v `pwd`/registry:/var/lib/registry \   -e registry_http_tls_certificate=/certs/certificate.crt \   -e registry_http_tls_key=/certs/private.key \   registry:latest

using docker version 17.06.2-ce, build cec0b72

i have obtained certificate.crt, private.key, , ca_bundle.crt let's encrypt. , have been able establish https connections when using these certs on nginx server, without having explicitly trust certificates on client machine/browser.

is possible setup user experience docker registry similar of ca certified website being accessed via https, browser/machine trusts root ca , along chain, including certificates?

note:

i can of course specify certificate in clients docker files described in tutorial: https://docs.docker.com/registry/insecure/#use-self-signed-certificates . however, not adequate solution needs.

output of curl -v https://docks.behar.cloud/v2/:

*   trying 10.0.1.4... * tcp_nodelay set * connected docks.behar.cloud (10.0.1.4) port 443 (#0) * tls 1.2 connection using tls_ecdhe_rsa_with_aes_128_gcm_sha256 * server certificate: docks.behar.cloud * server certificate: let's encrypt authority x3 * server certificate: dst root ca x3 > /v2/ http/1.1 > host: docks.behar.cloud > user-agent: curl/7.54.0 > accept: */* >  < http/1.1 200 ok < content-length: 2 < content-type: application/json; charset=utf-8 < docker-distribution-api-version: registry/2.0 < x-content-type-options: nosniff < date: sun, 10 sep 2017 23:05:01 gmt <  * connection #0 host docks.behar.cloud left intact

short answer: yes. issue caused os not having build in trust of root certificates ssl certificate signed by. due age of os. see answer matt more information.

docker use the os provided ca bundle, certificates signed trusted roots should work without config.

let's encrypt certificates cross signed identtrust root certificate (dst root ca x3) ca bundles should trust certificates. lets encrypt root cert (isrg root x1) distributed not widespread due being more recent.

docker 1.13+ use host systems ca bundle verify certificates. prior 1.13 may not happen if have installed custom root cert. if use curl without tls warning docker commands should work same.


Comments

Post a Comment

Popular posts from this blog

resizing Telegram inline keyboard -

telegram's inline keyboard great feature lots of different use cases. inline buttons added list of items this: inline_keyboard = [[inlinekeyboardbutton(text="button", callback_data="button"), inlinekeyboardbutton(text="reset",callback_data="reset")]] inline_keyboard_markup = inlinekeyboardmarkup(inline_keyboard) update.message.reply_text("hi", reply_markup=inline_keyboard_markup) the above code adds 2 buttons each half width of chat screen. i know the normal keyboard button there resize_keyboard parameter somehow can used. my question is there way resize inline buttons ? example make full width or quarter width. unfortunately, can't now. :( you can suggest @botsupport , might add feature next version.
Read more

command line - How can a Python program background itself? -

consider following python command-line program. doesn't work because incomplete, think illustrates problem: #!/usr/bin/python3 import multiprocessing pool = multiprocessing.pool() task in expensive_iterator_with_user_interaction(): pool.call_async(expensive_computation, (task,)) pool.close() print("dear user, may press ctrl-z , bg script.") pool.join() thus, problem scripts needs user input while it's launching expensive parallel processes. there moment when user interaction not needed anymore. then, ask user background process shell actions. however, can achieved program itself? (side note: core of problem entanglement of user input firing “expensive computations”. therefore, cannot separate both in 2 scripts, , letting 1 spawning other daemon.) the command screen may you. use screen -l create new session , run application. after inputting data, can press " ctrl-a " , press " d " on keyboard detach session. now
Read more

php - "cURL error 28: Resolving timed out" on Wordpress on Azure App Service on Linux -

Image
my wordpress installation on azure app service on linux using custom docker container has slow response times. pages take around 20-40 seconds load. i have troubleshooting plugin installed indicates problem "curl error 28: resolving timed out after n milliseconds" when making requests following urls https://api.wordpress.org/core/version-check/1.7/ http://api.wordpress.org/core/version-check/1.7/ https://api.wordpress.org/plugins/update-check/1.1/ http://api.wordpress.org/plugins/update-check/1.1/ https://api.wordpress.org/themes/update-check/1.1/ http://api.wordpress.org/themes/update-check/1.1/ curl works fine on scm-site command line. example works ok. curl -x post http://api.wordpress.org/core/version-check/1.7/ edit if ssh container , run php code, works fine. <?php $url = 'http://api.wordpress.org/core/version-check/1.7/'; $fields = array( 'version' => urlencode('4.8.1'), 'php' => urlencode(
Read more