解决HTTPS访问docker registry¶
See also
证书颁发¶
使用自签名证书¶
创建CA证书¶
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt
为客户端创建证书¶
生成私钥
openssl genrsa -out registry.cslab.renbin.com.key
通过私钥生成证书请求csr
openssl req -new -key registry.cslab.renbin.com.key -out registry.cslab.renbin.com.csr
使用本地CA为该请求颁发正式证书crt
openssl x509 -req -in registry.cslab.renbin.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out registry.cslab.renbin.com.crt -days 9999
创建registry¶
创建docker registry指定cert目录
docker run -d \
-p 443:443 \
-v /root/registry-certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.cslab.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.cslab.key \
-v /usr/local/registry:/var/lib/registry \
--restart=always --name registry-https registry:2
创建证书目录并拷贝证书
mkdir -p /etc/docker/certs.d
cert内容
[root@renbin-new-4 ~]# tree /etc/docker/certs.d/
/etc/docker/certs.d/
`-- registry.cslab.renbin.com
|-- ca.crt
|-- client.cert
`-- client.key
push一个镜像测试
[root@renbin-new-4 ~]# docker push registry.cslab.renbin.com/alpine:latest
The push refers to repository [registry.cslab.renbin.com/alpine]
3e207b409db3: Pushed
latest: digest: sha256:39eda93d15866957feaee28f8fc5adb545276a64147445c64992ef69804dbf01 size: 528
如果证书没有认证的话会出现下面错误
Get https://registry.cslab.renbin.com/v2/: x509: certificate signed by unknown authority