我严格遵循了 Docker 注册表安装文档,并在远程 Ubuntu 虚拟机上运行了一个注册表。在该虚拟机上,Docker 容器正在使用以下命令运行:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
registry:2
在远程虚拟机上,我有以下目录结构:
/home/myuser/
certs/
registry.crt
registry.key
/etc/docker/certs.d/myregistry.example.com:5000/
ca.crt
ca.key
ca.crt
与 ~/certs/registry.crt
完全相同(刚刚重命名); ca.key
和 registry.key
相同/只是重命名。我根据您将在下面看到的错误输出中的建议创建了 ca*
文件。
我几乎 100% 确定 CA 证书仍然有效,尽管任何帮助排除这一点(例如我实际上如何判断?)将不胜感激。当我启动容器并查看 Docker 日志时,我没有看到任何错误。
然后我尝试从本地笔记本电脑 (Mac) 登录:
docker login myregistry.example.com:5000
它会询问我的用户名、密码和电子邮件(尽管我不记得在设置基本身份验证时曾指定过电子邮件)。正确输入这些内容后(我已经检查并仔细检查过......),我收到以下错误:
myuser@mymachine:~/tmp$docker login myregistry.example.com:5000
Username: my_ciuser
Password:
Email: [email protected]
Error response from daemon: invalid registry endpoint https://myregistry.example.com:5000/v0/:
unable to ping registry endpoint https://myregistry.example.com:5000/v0/ v2 ping attempt failed with error:
Get https://myregistry.example.com:5000/v2/: x509: certificate has expired or is not yet valid
v1 ping attempt failed with error: Get https://myregistry.example.com:5000/v1/_ping: x509:
certificate has expired or is not yet valid. If this private registry supports only HTTP or
HTTPS with an unknown CA certificate, please add
`--insecure-registry myregistry.example.com:5000` to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
所以从我的角度来看,我认为以下是可能的:
CA 证书无效(
...在 HTTPS 的情况下,如果您有权访问注册表的 CA 证书,无需旗帜;只需
放置 CA 证书 在 /etc/docker/certs.d/myregistry.example.com:5000/ca.crtwhere
myregistry.example.com:5000
- 您的 CN 和端口。
您应该将
ca.crt
复制到将连接到 Docker 注册表的每个 Docker 守护进程中,并将其放入此文件夹中:
/etc/docker/certs.d/myregistry.example.com:5000/ca.crt
执行此操作后,您需要重新启动 Docker 守护进程,例如,在 CentOS 上通过
sudo service docker stop && service docker start
(或在您的操作系统上调用类似的过程)。