x509: certificate signed by unknown authority


hello各位,我本地搭建个私有的registry,带ssl认证的,搭建好使用的时候面临个问题,网上查找没有找到最终的解决办法,求助

现象是 ping 是OK的,但是push 或者 login的时候报错

我的docker版本,registry使用的最新版
root@pts/2 # docker version
Client version: 1.6.2
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): 7c8fca2
OS/Arch (client): linux/amd64
Server version: 1.6.2
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): 7c8fca2
OS/Arch (server): linux/amd64

配置如下:
root@pts/2 # cat /etc/sysconfig/docker|grep -v '#'
other_args=
DOCKER_CERT_PATH=/etc/docker
DOCKER_OPTS="--insecure-registry registry.youyuanlc.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"

问题列举:
root@pts/0 # docker login -u www -p www -e "liuc1@youyuan.com" registry.youyuanlc.com/v1/_ping
FATA Error response from daemon: Server Error: Post https://registry.youyuanlc.com/v1/_ping/v1/users/: x509: certificate signed by unknown authority

root@pts/0 # docker push registry.youyuanlc.com/centos:youyuan

The push refers to a repository (len: 1)
Sending image list

Please login prior to push:
Username: www
Password:
Email: liuc1@youyuan.com
FATA Error response from daemon: Server Error: Post https://registry.youyuanlc.com/v1/users/: x509: certificate signed by unknown authority

log日志里面显示:
time="2015-07-03T11:21:21+08:00" level=info msg="POST /v1.18/auth"
time="2015-07-03T11:21:21+08:00" level=info msg="+job auth()"
time="2015-07-03T11:21:21+08:00" level=info msg="+job resolve_index(registry.youyuanlc.com/v1/_ping)"
time="2015-07-03T11:21:21+08:00" level=info msg="-job resolve_index(registry.youyuanlc.com/v1/_ping) = OK (0)"
time="2015-07-03T11:21:21+08:00" level=error msg="unable to login against registry endpoint https://registry.youyuanlc.com/v1/_ping/v1/: Server Error: Post https://registry.youyuanlc.com/v1/_ping/v1/users/: x509: certificate signed by unknown authority"
Server Error: Post https://registry.youyuanlc.com/v1/_ping/v1/users/: x509: certificate signed by unknown authority
time="2015-07-03T11:21:21+08:00" level=info msg="-job auth() = ERR (1)"
time="2015-07-03T11:21:21+08:00" level=error msg="Handler for POST /auth returned error: Server Error: Post https://registry.youyuanlc.com/v1/_ping/v1/users/: x509: certificate signed by unknown authority"
time="2015-07-03T11:21:21+08:00" level=error msg="HTTP Error: statusCode=500 Server Error: Post https://registry.youyuanlc.com/v1/_ping/v1/users/: x509: certificate signed by unknown authority"

求解,谢谢
已邀请:

tonybai_cn - 关注Go、Docker和Kubernetes

赞同来自:


从日志看,是ca证书问题。/etc/pki/CA/cacert.pem这个ca证书是怎么得到的?

Ivan

赞同来自:


之前遇到过类似的问题,一些经验,供参考:
<ol><li>要先生成根证书(通过证书认证机构认证的),再用根证书生成网站证书。</li><li>如果是自己签发的证书,要把根证书导入到/etc/ssl/certs/ca-bundle.crt。</li><li>必须用域名访问,如果不是公共域名(通过DNS可解析的),自己定义一个并在客户端的/etc/hosts文件中加别名,访问的时候,用域名访问。</li></ol>

从你的日志看:“certificate signed by unknown authority”像是自签发证书。自签发证书不受Docker信任,所以不能建立安全连接。

小飞侠 - TenxCloud合伙人

赞同来自:


嗯,很可能是证书问题;对,必须用域名,ip不行。

要回复问题请先登录注册