Docker Registry incorrectly claims an expired CA cert
I followed the Docker Registry installation docs precisely, and have a registry running on a remote Ubuntu VM. On that VM, the Docker container is running with the following command:
docker run -d -p 5000:5000 --restart=always --name registry \ -v `pwd`/auth:/auth \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v `pwd`/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \ registry:2
On the remote VM, I have the following directory structure:
/home/myuser/ certs/ registry.crt registry.key /etc/docker/certs.d/myregistry.example.com:5000/ ca.crt ca.key
ca.crt is the same exact cert as
~/certs/registry.crt (just renamed); same goes for
registry.key being the same/just renamed. I created the
ca* files per a suggestion from the error output you’ll see below.
I am almost 100% sure the CA cert is still valid, although any help ruling that out (e.g. how can I actually tell?) would be appreciated. When I start the container and look at the Docker logs, I don’t see any errors.
I then attempt to login from my local laptop (Mac):
docker login myregistry.example.com:5000
It queries me for my username, password and email (although I don’t recall ever specifying an email when setting up Basic Auth). After entering these correctly (I have checked and double checked…) I get the following error:
myuser@mymachine:~/tmp$docker login myregistry.example.com:5000 Username: my_ciuser Password: Email: email@example.com Error response from daemon: invalid registry endpoint https://myregistry.example.com:5000/v0/: unable to ping registry endpoint https://myregistry.example.com:5000/v0/ v2 ping attempt failed with error: Get https://myregistry.example.com:5000/v2/: x509: certificate has expired or is not yet valid v1 ping attempt failed with error: Get https://myregistry.example.com:5000/v1/_ping: x509: certificate has expired or is not yet valid. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry myregistry.example.com:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
So from my perspective, I guess the following are possible:
- The CA cert is invalid (if so, why?!?)
- The CA cert is an intermediary cert (if so, how can I tell?)
- The CA cert is expired (if so, how do I tell?)
- This is a bad error message, and some other facet of the registry is not configured properly (if so, how do I troubleshoot further?)
- Perhaps my cert is not located in the correct place on the server, or doesn’t have the right permissions set (if so, where does the cert need to be?)
- Something else that I would never expect in a million years
One Solution collect form web for “Docker Registry incorrectly claims an expired CA cert”
As said in the error message:
… In the case of HTTPS, if you have access to the registry’s CA
certificate, no need for the flag; simply place the CA certificate
myregistry.example.com:5000 – your CN with port.
You should copy your
ca.crt into each Docker Daemon that will connect to your Docker Registry and put it in this folder:
After this action you need to restart Docker daemon, for example, via
sudo service docker stop && service docker start on CentOS (or call similar procedure on your OS).