无法通过TLS推送到私有docker登录

问题描述 投票:0回答:1

我的路由器后面有QNAP NAS,具有公用IP 1.2.3.4。我有xxxx.yyyy.cz的证书。证书有效,我可以通过HTTPS到达NAS。我在NAS上安装了docker registry:2.7。这是容器环境配置:

REGISTRY_HTTP_ADDR  0.0.0.0:5443
REGISTRY_HTTP_TLS_CERTIFICATE   /certs/client.cert
REGISTRY_HTTP_TLS_KEY   /certs/client.key

我将端口转发5443设置为5443 TCP。在certs目录中有3个文件:

/certs # ls -al                                                                                                                                                                                
total 24                                                                                                                                                                                       
drwxrwxrwx    2 root     root          4096 Oct 20 17:02 .                                                                                                                                     
drwxr-xr-x    1 root     root          4096 Oct 20 17:01 ..                                                                                                                                    
-rwxrwxrwx    1 root     root          1688 Oct 20 16:42 ca.crt                                                                                                                                
-rwxrwxrwx    1 root     root          2060 Oct 20 16:42 client.cert                                                                                                                           
-rwxrwxrwx    1 root     root          1704 Oct 20 16:42 client.key

我能够通过curl或通过浏览器从注册表中获得响应:

$ curl --cacert Downloads/certs/ca.crt https://xxxx.yyyy.cz:5443/v2/_catalog ; echo $?
{"repositories":[]}
0

因此,我确保证书正确并且注册表运行正确。当我看到容器日志时,仍然收到此消息:

2019/10/20 17:51:10 http: TLS handshake error from 1.2.3.4:58164: tls: first record does not look like a TLS handshake
2019/10/20 17:51:30 http: TLS handshake error from 1.2.3.4:58334: tls: first record does not look like a TLS handshake
2019/10/20 17:51:50 http: TLS handshake error from 1.2.3.4:58498: tls: first record does not look like a TLS handshake
2019/10/20 17:52:11 http: TLS handshake error from 1.2.3.4:58654: tls: first record does not look like a TLS handshake
2019/10/20 17:52:31 http: TLS handshake error from 1.2.3.4:58810: tls: first record does not look like a TLS handshake
2019/10/20 17:52:51 http: TLS handshake error from 1.2.3.4:58982: tls: first record does not look like a TLS handshake
2019/10/20 17:53:12 http: TLS handshake error from 1.2.3.4:59136: tls: first record does not look like a TLS handshake

[当我尝试将某些内容推送到注册表时,我收到错误消息:

$ docker push xxxx.yyyy.cz:5443/myimage:latest
The push refers to repository [xxxx.yyyy.cz:5443/myimage]
Get https://xxxx.yyyy.cz:5443/v2/: x509: certificate signed by unknown authority

在docker日志中,我可以看到错误消息:

2019/10/20 18:43:28 http: TLS handshake error from 1.2.3.4:41632: remote error: tls: bad certificate

我使用了thisthis指令,但没有帮助。登录到容器后,我检查了证书文件sha256,它们没问题。

  1. 我如何在我的Docker注册表上使用TLS以及为什么它不接受TLS我的证书?
  2. 为什么它无法通过docker命令运行?
docker ssl https docker-registry
1个回答
0
投票

我对client.cert有问题。如[中提到的ca.crt,它还应包含here证书颁发者可能会向您提供中间证书。在这种情况下,您必须将证书与中间证书连接起来以形成证书捆绑包。您可以使用cat命令执行此操作:

cat domain.crt intermediate-certificates.pem > certs/domain.crt 

您可以使用证书包,就像在上一个示例中使用domain.crt文件一样。
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.