.. _header-n35:

解决HTTPS访问docker registry
============================

.. seealso::

   参考：\ `Verify repository client with
   certificates <https://docs.docker.com/engine/security/certificates/>`__

.. _header-n39:

证书颁发
--------

.. _header-n40:

使用自签名证书
~~~~~~~~~~~~~~

.. _header-n41:

创建CA证书
^^^^^^^^^^

.. code:: shell

   openssl genrsa -out ca.key 2048
   openssl req -new -x509 -days 36500 -key ca.key -out ca.crt

.. _header-n43:

为客户端创建证书
^^^^^^^^^^^^^^^^

生成私钥

.. code:: shell

   openssl genrsa -out registry.cslab.renbin.com.key

通过私钥生成证书请求csr

.. code:: shell

   openssl req -new -key registry.cslab.renbin.com.key -out registry.cslab.renbin.com.csr

使用本地CA为该请求颁发正式证书crt

.. code:: shell

   openssl x509 -req -in registry.cslab.renbin.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out registry.cslab.renbin.com.crt -days 9999

.. _header-n50:

使用Let’s Encrypt证书
~~~~~~~~~~~~~~~~~~~~~

.. _header-n83:

使用certbot管理证书
^^^^^^^^^^^^^^^^^^^

.. code:: shell

   git clone https://github.com/letsencrypt/letsencrypt.git
   sudo ./certbot-auto certonly --standalone --email admin@example.com -d renbin.com -d registry.renbin.com 

..

.. seealso::

   参考\ `Let’s Encrypt <https://letsencrypt.org/getting-started/>`__

.. _header-n57:

创建registry
------------

创建docker registry指定cert目录

.. code:: shell

   docker run -d  \
   -p 443:443  \
   -v /root/registry-certs:/certs \
   -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.cslab.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/registry.cslab.key \
   -v /usr/local/registry:/var/lib/registry  \
   --restart=always  --name registry-https  registry:2

创建证书目录并拷贝证书

.. code:: shell

   mkdir -p /etc/docker/certs.d

cert内容

.. code:: shell

   [root@renbin-new-4 ~]# tree /etc/docker/certs.d/
   /etc/docker/certs.d/
   `-- registry.cslab.renbin.com
       |-- ca.crt
       |-- client.cert
       `-- client.key

push一个镜像测试

.. code:: shell

   [root@renbin-new-4 ~]# docker push registry.cslab.renbin.com/alpine:latest
   The push refers to repository [registry.cslab.renbin.com/alpine]
   3e207b409db3: Pushed
   latest: digest: sha256:39eda93d15866957feaee28f8fc5adb545276a64147445c64992ef69804dbf01 size: 528

如果证书没有认证的话会出现下面错误

.. code:: shell

   Get https://registry.cslab.renbin.com/v2/: x509: certificate signed by unknown authority