Docker Registry incorrectly claims an expired CA cert

I followed the Docker Registry installation docs precisely, and have a registry running on a remote Ubuntu VM. On that VM, the Docker container is running with the following command:

docker run -d -p 5000:5000 --restart=always --name registry \
    -v `pwd`/auth:/auth \
    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
    -v `pwd`/certs:/certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
    registry:2

On the remote VM, I have the following directory structure:

  • wget (or any connection) inside docker can't connect to servers own ip address
  • increase max_allowed_packet size in mysql docker
  • Docker & Graylog
  • Fork docker repository
  • Why does swapping between container IP and alias cause difference in AJAX request?
  • Docker container doesn't start, showing as 'Exited n seconds ago'
  • /home/myuser/
        certs/
            registry.crt
            registry.key
    /etc/docker/certs.d/myregistry.example.com:5000/
        ca.crt
        ca.key
    

    The ca.crt is the same exact cert as ~/certs/registry.crt (just renamed); same goes for ca.key and registry.key being the same/just renamed. I created the ca* files per a suggestion from the error output you’ll see below.

    I am almost 100% sure the CA cert is still valid, although any help ruling that out (e.g. how can I actually tell?) would be appreciated. When I start the container and look at the Docker logs, I don’t see any errors.

    I then attempt to login from my local laptop (Mac):

    docker login myregistry.example.com:5000
    

    It queries me for my username, password and email (although I don’t recall ever specifying an email when setting up Basic Auth). After entering these correctly (I have checked and double checked…) I get the following error:

    myuser@mymachine:~/tmp$docker login myregistry.example.com:5000
    Username: my_ciuser
    Password: 
    Email: myuser@example.com
    Error response from daemon: invalid registry endpoint https://myregistry.example.com:5000/v0/:
    unable to ping registry endpoint https://myregistry.example.com:5000/v0/ v2 ping attempt failed with error:
    Get https://myregistry.example.com:5000/v2/: x509: certificate has expired or is not yet valid
    v1 ping attempt failed with error: Get https://myregistry.example.com:5000/v1/_ping: x509:
    certificate has expired or is not yet valid. If this private registry supports only HTTP or
    HTTPS with an unknown CA certificate, please add 
    `--insecure-registry myregistry.example.com:5000` to the daemon's
    arguments. In the case of HTTPS, if you have access to the registry's CA
    certificate, no need for the flag; simply place the CA certificate
    at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
    

    So from my perspective, I guess the following are possible:

    • The CA cert is invalid (if so, why?!?)
    • The CA cert is an intermediary cert (if so, how can I tell?)
    • The CA cert is expired (if so, how do I tell?)
    • This is a bad error message, and some other facet of the registry is not configured properly (if so, how do I troubleshoot further?)
    • Perhaps my cert is not located in the correct place on the server, or doesn’t have the right permissions set (if so, where does the cert need to be?)
    • Something else that I would never expect in a million years

    Any ideas/thoughts?

  • Why isn't my Dockerfile's ARG expanded?
  • How to completely destroy docker container from marathon UI?
  • Run Maven ant plugin after the .war is deployed?
  • Docker kill not working when executed in shell script
  • How to automate multi server deployment using docker
  • Why Docker build do not have -f parameter?
  • One Solution collect form web for “Docker Registry incorrectly claims an expired CA cert”

    As said in the error message:

    … In the case of HTTPS, if you have access to the registry’s CA
    certificate, no need for the flag; simply place the CA certificate
    at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt

    where myregistry.example.com:5000 – your CN with port.

    You should copy your ca.crt into each Docker Daemon that will connect to your Docker Registry and put it in this folder: /etc/docker/certs.d/myregistry.example.com:5000/ca.crt

    After this action you need to restart Docker daemon, for example, via sudo service docker stop && service docker start on CentOS (or call similar procedure on your OS).

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.