I am new to docker and trying to setup my registry for docker swarm.
I have three debian installations interacting with each other:
- registry
- website
- database
Trying to setup my database separate from my website and my registry separate too.
My registry machine also hosts a website let say vmreg.com managed by letsencrypt ssl certificates. I use this certificate to sign both my website and registry.
docker run -d --restart=always --name registry -v $(pwd)/etc/letsencrypt/live/vmreg.com:/etc/letsencrypt/live/vmreg.com -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/letsencrypt/live/vmreg.com/domain.crt -e REGISTRY_HTTP_TLS_KEY=/etc/letsencrypt/live/vmreg.com/domain.key -p 5000:5000 registry:2
On my database machine I can login just fine:
echo "password" | docker login -u username --password-stdin vmreg.com:5000
but on my website machine I get x509: certificate signed by unknown authority when I try to login
Only difference is that my website machine also has its own letsencrypt domain setup. I don't understand why I get this error. Is it a possible conflict ?
Solutions I found online all talk about copying certificates but 1) I have not copied any cert on my database machine and 2) I don't understand why I would need to copy certificates from the registry server to a client; that makes no sense to me because what happens when I renew my certs
CodePudding user response:
but on my website machine I get x509: certificate signed by unknown authority when I try to login
I always had to follow "Verify repository client with certificates" when establishing a new Docker registry (usually one based on Nexus3 for instance).
That means:
/etc/docker/certs.d$ mkdir vmreg.com
/etc/docker/certs.d$ cp /etc/letsencrypt/live/vmreg.com/domain.crt vmreg.com/
CodePudding user response:
It looks like you're missing the latest certificate bundle, and LetsEncrypt had to update their root CA after their original provider's certificate expired. This is normally handled on Debian by running:
apt-get update
apt-get install ca-certificates
However, if that doesn't solve it, it may be because of older versions of Debian. See this SF post that describes how to solve it.