Docker Private Registry:x509:未知授权机构签署的证书 [英] Docker Private Registry: x509: certificate signed by unknown authority

查看:218
本文介绍了Docker Private Registry:x509:未知授权机构签署的证书的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试建立一个私有docker注册表,由反向nginx代理保护,该代理通过客户端证书验证用户。

I am attempting to setup a private docker registry, secured by a reverse nginx proxy that validates users by client certificates.

我得到的错误是:


x509:未知授权机构签署的证书

x509: certificate signed by unknown authority

根据文档,您应该能够将证书添加到/etc/docker/certs.d/中,而我已经这样做了。 Docker似乎看到了证书的位置:

According to the documentation, you are supposed to be able to add certificates into /etc/docker/certs.d/, and I have done so. Docker appears to see the location of the certificate:


EBU [0015]调用POST /v1.24/images/create?fromImage=docker .squadwars.org%2Froster& tag =最新的
DEBU [0015] hostDir:/etc/docker/certs.d/docker.squadwars.org
DEBU [0015]证书:/ etc / docker / certs .d / docker.squadwars.org / client.cert
DEBU [0015]键:/etc/docker/certs.d/docker.squadwars.org/client.key
DEBU [0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt
DEBU [0015] hostDir:/etc/docker/certs.d/docker.squadwars.org
DEBU [0015]证书:/etc/docker/certs.d/docker.squadwars.org/client.cert
DEBU [0015]密钥:/etc/docker/certs.d/docker.squadwars.org/client .key
DEBU [0015] crt:/etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt
DEBU [0015]尝试拉docker.squadwars.org / roster来自 https://docker.squadwars.org v 2
WARN [0015]获取v2注册表时出错:获取 https://docker.squadwars.org/v2 / :x509:证书由未知权限
ERRO [0015]尝试下一个端点进行错误后拉:Get https://docker.squadwars.org/v2/ :x509:由未知权限签名的证书

EBU[0015] Calling POST /v1.24/images/create?fromImage=docker.squadwars.org%2Froster&tag=latest DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt DEBU[0015] Trying to pull docker.squadwars.org/roster from https://docker.squadwars.org v2 WARN[0015] Error getting v2 registry: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority ERRO[0015] Attempting next endpoint for pull after error: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority

我还尝试将证书文件从mydomain.org重命名为简单的 ca.crt,调试日志再次显示该文件,但没有任何效果。

I also tried renaming the cert file from mydomain.org to simply 'ca.crt', which the debug log again shows it seeing, but it didn't have any effect.

我能够像这样使用curl:

I am able to use curl like so:

curl --key client.key --cert client.cert https:// docker.squadwars.org /

我也可以添加--cacert选项来卷曲,无论哪种方式。

I can also add the --cacert option to curl, either way works.

码头工人文档说,如果仍然有问题,则应在操作系统级别添加证书。我已经按照说明

The docker documentation says that if you still have problems, you should add the certificate at the OS level. I have done so according to the instructions:

(这可能就是为什么我不需要-cacert的curl的原因,尽管我很困惑,因为从那以后我就删除了证书,但卷曲仍然有效)

(Which is probably why I don't need -cacert with curl, although I'm confused because I've since removed the certificate but curl still works)

这让我发疯,任何帮助将不胜感激!

This is driving me nuts, any help would be greatly appreciated!

编辑:我忘了补充一下,最初我的证书的FQDN错误,但现在是'docker.squadwars.org'

I forgot to add that initially I had the FQDN of the certificate wrong, but it is now 'docker.squadwars.org'

推荐答案

我首先创建了自己的证书颁发机构,如下所述:

I got it working by creating my own certificate authority first as outlined here:

如何使用openssl创建自签名证书?

在这里:

如何与证书颁发机构签署证书签署请求?

我希望能够给出更好的答案,但是我在这里按照说明进行操作:

I'd like to be able to give a better answer but I was following the instructions here:

https://arcweb.co/securing-websites-nginx-and-client-side-certificate- authentication-linux /

这对我不起作用。除了有关签名客户端密钥的部分。可行。

And it wasn't working for me. Except for the part about signing the client key. That worked.

这篇关于Docker Private Registry:x509:未知授权机构签署的证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆