我尝试使用官方文档来设置私人注册表。
我的docker-compose.yml文件是
version: '3.0'
services:
my-registry:
image: registry:latest
container_name: my-registry
env_file:
- registry_config
volumes:
- registry:/var/lib/registry
- ./data/letsencrypt:/etc/letsencrypt
ports:
- "443:5000"
restart: unless-stopped
volumes:
registry:
registry_config文件为
REGISTRY_HTTP_ADDR=0.0.0.0:5000
REGISTRY_HTTP_HOST=https://my-domain.com:443
REGISTRY_HTTP_SECRET=my-secret
REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE=/etc/letsencrypt/cache.json
[email protected]
REGISTRY_HTTP_TLS_LETSENCRYPT_HOSTS=["my-domain.com"]
我有错误
my-registry | 2019/10/31 14:36:54 [INFO][my-domain.com] acme: Obtaining bundled SAN certificate
my-registry | 2019/10/31 14:36:55 [INFO][my-domain.com] acme: Could not find solver for: dns-01
my-registry | 2019/10/31 14:36:55 [INFO][my-domain.com] acme: Could not find solver for: http-01
my-registry | 2019/10/31 14:36:55 [INFO][my-domain.com] acme: Could not find solver for: tls-alpn-01
在https://my-domain.comm/v2/_catalog
之类的请求中,我有错误:
我的注册表| 2019/10/31 14:36:55 http:来自184.22.214.103:58383的TLS握手错误:map [my-domain.com:[my-domain.com] acme:无法确定求解器]
cache.json
文件是
{
"Email": "[email protected]",
"Reg": {
"body": {
"resource": "reg",
"id": 11111111,
"key": {
"kty": "EC",
"crv": "P-384",
"x": "abababab",
"y": "abababab"
},
"contact": [
"mailto:[email protected]"
],
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/reg/11111111",
"new_authzr_uri": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
},
"Key": "-----BEGIN EC PRIVATE KEY-----\ndfsfdsfqf3242423fwead3d2d\n-----END EC PRIVATE KEY-----\n",
"Hosts": [
"my-domain.com"
],
"Certs": null
}
Certs
键为空对我来说很奇怪
如何正确配置让我们加密的docker注册表?
这类似于docker/distribution/issue 2740,它指的是issue 2545(“禁用加密的tls-sni-01挑战。注册表映像不支持回退挑战”)
请参见LetsEncrypt challenge types。
此挑战是在ACME的草案版本中定义的。它在端口443上进行了TLS握手,并发送了一个特定的SNI标头,以查找包含令牌的证书。因为它不够安全,所以它将为disabled in March 2019。
Issue 2545 includes the workaround:
我终于选择了
cesanta/docker_auth
,配置还不错。这使我可以按用户/设备设置角色和访问权限。使用这些方法,我现在有一个私有的Docker注册表,该注册表自动由Let's Encrypt保护。最棒的是,它也得到了Amazon S3的支持,因此我可以销毁并重新创建容器,而不必担心丢失任何图像。