CODEWITHSUNDEEP
docker-registry
Charlie Benger-Stevenson
Charlie Benger-Stevenson

Reputation: 414

Error response from daemon: Get https://192.168.1.5/v2/: x509: certificate signed by unknown authority

I have a private docker registry set up and running. It is configured with a self signed SSL certificate and works well.

I have managed to docker login from a remote machine, but first I had to copy the root ca to the client (ubuntu 18.04 LTS) and update the ca-certificates

cp ca.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates

This works and I can log in no problems.

Now I have another client I want to access this private docker repository. It is a Jenkins server running in docker on another box. I have copied the ca.crt to this box also and followed the steps above. Even after restarting the docker container I still cannot log into docker.

Error response from daemon: Get https://192.168.1.5/v2/: x509: certificate signed by unknown authority

I am absolutely confused as I follow the steps on one Ubuntu box (18.04 LTS) and it works like a charm. But on the JENKINS container (Ubuntu Xenial 16.04) it gives this error.

What else can I check?

Upvotes: 0

Views: 2757

Answers (1)

Mega D-Ichi
Mega D-Ichi

Reputation: 11

Well, for me i followed the official documentation about setting up Jenkins within a docker container: https://www.jenkins.io/doc/book/installing/docker/#setup-wizard, and when I wanted to push my images built using Jenkins to my private registry (Harbor registry) I face this problem of a self-signed certificate.

My environment is as follow: I've docker engine installed on my VM (RHEL8) I've defined a docker-compose file that contains 2 services:

  1. docker-dind: In order to execute Docker commands inside Jenkins nodes, this one is going to be built based on a Dockerfile like bellow:

Example of docker-dind Dockerfile:

FROM docker:dind

# Providing Harbor's and our CA's (our private registry) certs to Docker that is linked to Jenkins (docker:dind)

RUN mkdir -p /etc/docker/certs.d/my.private.registry
COPY certs/ /etc/docker/certs.d/my.private.registry
PS: your certs/ folder should contain:
       ├── my.private.registry.cert  <-- yor Registry cert signed by your CA
       ├── my.private.registry.key   <-- your Registry key signed by your CA
       └── myRootCA.crt  <-- Certificate authority that signed the registry certificate
  1. jenkins-blueocean: the Jenkins docker container, this one also is based on a Dockerfile as it's mention in the documentation, I've made few changes so that Jenkins instance will trust all the certs issued by my self-signed CA's (in your Dockerfile, add the following lines):

Example of jenkins-blueocean Dockerfile

# Copying our self-signed CA's certs so Jenkins-OS, Jenkins-JVM, and Jenkins-git will use it in the chain of trust 
COPY certs/myRootCA.crt     /usr/local/share/ca-certificates

# importing your CA-cert to Java keystore
RUN keytool -import -noprompt -trustcacerts -alias myRootCA -file /usr/local/share/ca-certificates/urRootCA.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

# update your system cert-store 
RUN update-ca-certificates

# config jenkins git to use your system store as a trusted one
RUN git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

now, run:

docker-compose up -d --build

it should fix the problem.

for more details about running Jenkins in docker container check this https://www.jenkins.io/doc/book/installing/docker/#setup-wizard

for more details about integrating your private registry so it can be used by docker, check this (Harbor Registry)

https://goharbor.io/docs/2.1.0/install-config/configure-https/

Upvotes: 1

Related Questions