Docker registry login fails with “Certificate signed by unknown authority”

Question

I'm am running a private docker registry on ubuntu using S3 for storage. I'm having issues getting docker login/push/pull commands to work over SSL. I'm using Nginx in front of Gunicorn to run the registry. It works without any issues over HTTP, but after switching to HTTPS for a prod system, it throws the following error from the client docker login.

Invalid Registry endpoint:  x509: certificate signed by unknown authority 

I have purchased a rather cheap PositiveSSL certificate from Commodo to use for this. I have ensured the root CA and intermediate CA's are installed on the Ubuntu system running the registry. The following is my nginx configuration for the server

    # Default nginx site to run the docker registry

    upstream docker-registry {
      server localhost:5000;
    }

    server {
      listen 443;

      server_name docker.ommited.net;

      ssl on;
      ssl_certificate /etc/ssl/docker-registry.crt;
      ssl_certificate_key /etc/ssl/docker-registry.key;

      proxy_set_header Host       $http_host;   # required for docker client's sake
      proxy_set_header X-Real-IP  $remote_addr; # pass on real client's IP

      client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads


      location / {
        proxy_pass http://localhost:5000/;
      }
    }

I'm trying to figure out how to get docker to properly recognize the cert, or ignore the certificate warning. I'm running docker-registry version v0.7.3, the particular client I'm using is Docker version 1.1.2, build d84a070. on a side note, when visiting the registry in a browser, the cert is properly recognized. any help pointing me in the right direction would be greatly appreciated!

Answer 1

For cheap / lesser known certs like the COMODO or StartSSL ones, you need to add the entire certificate chain into the certificate file you are using with nginx. Many operating systems don't trust the intermediate CAs, just the root CA, so you need to fill in the missing steps between the certificate for your host and the root CA that is trusted by the OS.

In the e-mail you received your certificate with, you should also find links to the intermediate CAs and the root CA. Open the docker-registry.crt file, scroll to the bottom, and append the intermediate CAs and, finally, the root CA certificate for the PositiveSSL chain. Once you've done that, restart nginx. You should now be good to go.

Answer 2

For RHEL hosts, you can add the CA cert to the PKI CA list on the client host:

cp docker-registry.crt /etc/pki/ca-trust/source/anchors/docker-registry.crt
update-ca-trust
systemctl restart docker

From https://www.happyassassin.net/2014/09/06/adding-your-freeipa-servers-ca-certificate-to-the-system-wide-trust-store-on-fedora-and-rhel/

Answer 3

If you are on mac, simply add the registry to the insecure-registries setting in ~/.docker/daemon.json:

{
  "debug" : true,
  "experimental" : true,
  "registry-mirrors" : [],
  "insecure-registries" : ["registry.your.domain.de"]
}

In case you do a mistake somewhere (I forgot a comma in the JSON) some issues afterwards with starting up the docker daemon might arise. Namely any docker command throwing an Error response from daemon: Bad response from Docker engine. A few restarts and resets later that resolved itself.

Answer 4

If you are using letsencrypt and nginx, just change the ssl_certificate key from cert.pem to fullchain.pem.