Use Docker registry with SSL certifictae without IP SANs

StackOverflow https://stackoverflow.com/questions/23468530

Question

I have a private Docker registry (using this image) running on a cloud server. I want to secure this registry with basic auth and SSL via nginx. But I am new to SSL and run in some problems:

I created SSL certificates with OpenSSL like this:

openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout private.key -out certificate.crt

Then I copied both files to my cloud server and used it in nginx like this:

upstream docker-registry {
    server localhost:5000;
}

server {

    listen 443;
    proxy_set_header Host       $http_host;   
    proxy_set_header X-Real-IP  $remote_addr;

    ssl on;
    ssl_certificate /var/certs/certificate.crt;
    ssl_certificate_key /var/certs/private.key;

    client_max_body_size 0;
    chunked_transfer_encoding on;

    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/sites-enabled/.htpasswd;
        proxy_pass http://XX.XX.XX.XX;
    }
}

Nginx and the registry are starting and running both. I can go to my server in my browser which presents me a warning about my SSL certificate (so nginx runs and finds the SSL certificate) and when I enter my credentials I can see a ping message from the Docker registry (so the registry is also running).

But when I try to login via Docker I get the following error:

vagrant@ubuntu-13:~$ docker login https://XX.XX.XX.XX
Username: XXX
Password:
Email:
2014/05/05 08:30:59 Error: Invalid Registry endpoint: Get https://XX.XX.XX.XX/v1/_ping: x509: cannot validate certificate for XX.XX.XX.XX because it doesn't contain any IP SANs

I know this exception means that I have no IP address of the server in my certificate, but is it possible to use the Docker client and ignore the missing IP?

EDIT:

If I use a certificate with the IP of the server it works. But is there any chance to use a SSL certificate without the IP?

Was it helpful?

Solution

It's a Go issue. Actually it's a tech issue and go refused to follow the industry hack thus that's why it's not working. See this https://groups.google.com/forum/#!topic/golang-nuts/LjhVww0TQi4

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top