Docker registry with self signed cert?

russ.albert's Avatar

russ.albert

14 Feb, 2018 09:33 PM

I am trying to test the Docker Container Registry feed using a private registry with a self-signed cert. I have added the cert to the Trusted Root Certificate Authorities on the server hosting Octopus Deploy (OD). I verified I can access the registry from IE on the OD server with no Cert errors - the cert is fully trusted by IE.

When I add the feed to OD and test I get the following error:

An error occurred while sending the request.
System.Net.Http.HttpRequestException

--Inner Exception--
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
System.Net.WebException
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

--Inner Exception--
The remote certificate is invalid according to the validation procedure.
System.Security.Authentication.AuthenticationException
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

What else do I need to do to get this to work. Does Octopus Deploy support self-signed certs for Docker Container Registry feeds?

I was able to get the test to work if I used http and the IP of the server hosting the registry.

  1. Support Staff 1 Posted by Lawrence Wilson on 19 Feb, 2018 05:21 AM

    Lawrence Wilson's Avatar

    Hi Russ,

    Thanks for getting in touch! I'm sorry to hear that you are seeing issues while using Docker Container Registry with a self-signed certificate, even though it's been successfully added to your Trusted Root Certificate Authorities store.

    One option which comes to mind could be to ensure that the certificate has been added to the Computers' certificate store, it may have been added to your local users' store perhaps.

    As a troubleshooting step, could you please download/export the self-signed certificate to a known location (eg, c:\temp) , then execute the command

    (Please change the values as necessary):

    certutil -f -urlfetch -verify C:\temp\my-ss-cert.crt

    In this troubleshooting exercise, you will not need to use the Private Key, so proceeding with just the crt/cer file will be just fine.

    I am interested to see if you notice any errors towards the bottom of the output from running this command.

    Kind Regards,
    Lawrence

  2. 2 Posted by russ.albert on 19 Feb, 2018 03:54 PM

    russ.albert's Avatar

    Lawrence,

    Thanks for the response and information to check. I found a work around to problem that enables me to test Docker deployments:

    First, I used a HTTP URL for the External Feed. Then I used the Registry Path to enter the HTTPS path to the registry with the self-signed cert. The registry is configured on the Docker target host as an insecure registry, so it will not verify the cert.

    Since I am only need this configuration to evaluate and test the Docker features, this will be fine. I will get a proper internal company cert for production. If I have any problems with this configuration I will raise another issue.

    Thanks,

    Russ

  3. Support Staff 3 Posted by Lawrence Wilson on 21 Feb, 2018 03:02 AM

    Lawrence Wilson's Avatar

    Hi Russ,
    Thanks for keeping in touch about this issue! I'm glad to hear that you have found a work-around which suits your environment.

    Please feel free to let me know if we can help with any other queries.

    Kind regards,
    Lawrence.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac