使用let加密设置Docker注册表时找不到http://的求解器?

问题描述 投票:1回答:1

我尝试使用官方文档来设置私人注册表。

我的docker-compose.yml文件是

version: '3.0'

services:
  my-registry:
    image: registry:latest
    container_name: my-registry
    env_file:
      - registry_config
    volumes:
      - registry:/var/lib/registry
      - ./data/letsencrypt:/etc/letsencrypt
    ports:
      - "443:5000"
    restart: unless-stopped
volumes:
  registry:

registry_config文件为

REGISTRY_HTTP_ADDR=0.0.0.0:5000
REGISTRY_HTTP_HOST=https://my-domain.com:443
REGISTRY_HTTP_SECRET=my-secret
REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE=/etc/letsencrypt/cache.json
[email protected]
REGISTRY_HTTP_TLS_LETSENCRYPT_HOSTS=["my-domain.com"]

我有错误

my-registry    | 2019/10/31 14:36:54 [INFO][my-domain.com] acme: Obtaining bundled SAN certificate
my-registry    | 2019/10/31 14:36:55 [INFO][my-domain.com] acme: Could not find solver for: dns-01
my-registry    | 2019/10/31 14:36:55 [INFO][my-domain.com] acme: Could not find solver for: http-01
my-registry    | 2019/10/31 14:36:55 [INFO][my-domain.com] acme: Could not find solver for: tls-alpn-01

https://my-domain.comm/v2/_catalog之类的请求中,我有错误:

我的注册表| 2019/10/31 14:36:55 http:来自184.22.214.103:58383的TLS握手错误:map [my-domain.com:[my-domain.com] acme:无法确定求解器]

cache.json文件是

{
    "Email": "[email protected]",
    "Reg": {
        "body": {
            "resource": "reg",
            "id": 11111111,
            "key": {
                "kty": "EC",
                "crv": "P-384",
                "x": "abababab",
                "y": "abababab"
            },
            "contact": [
                "mailto:[email protected]"
            ],
            "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
        },
        "uri": "https://acme-v01.api.letsencrypt.org/acme/reg/11111111",
        "new_authzr_uri": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
        "terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
    },
    "Key": "-----BEGIN EC PRIVATE KEY-----\ndfsfdsfqf3242423fwead3d2d\n-----END EC PRIVATE KEY-----\n",
    "Hosts": [
        "my-domain.com"
    ],
    "Certs": null
}

Certs键为空对我来说很奇怪

如何正确配置让我们加密的docker注册表?

docker docker-compose lets-encrypt docker-registry
1个回答
1
投票

这类似于docker/distribution/issue 2740,它指的是issue 2545(“禁用加密的tls-sni-01挑战。注册表映像不支持回退挑战”)

请参见LetsEncrypt challenge types

此挑战是在ACME的草案版本中定义的。它在端口443上进行了TLS握手,并发送了一个特定的SNI标头,以查找包含令牌的证书。因为它不够安全,所以它将为disabled in March 2019

Issue 2545 includes the workaround

我终于选择了cesanta/docker_auth,配置还不错。这使我可以按用户/设备设置角色和访问权限。

使用这些方法,我现在有一个私有的Docker注册表,该注册表自动由Let's Encrypt保护。最棒的是,它也得到了Amazon S3的支持,因此我可以销毁并重新创建容器,而不必担心丢失任何图像。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.