x509: certificate is valid for , not www.myhostname.com while using external ip instead of static internal ip
Linux developer 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Server machine
Linux Pancakes 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Client and server docker version
Docker version 1.9.1, build a34a1d5
Server docker info
Containers: 20
Images: 209
Server Version: 1.9.1
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 249
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.19.0-42-generic
Operating System: Ubuntu 14.04.3 LTS
CPUs: 8
Total Memory: 31.38 GiB
Name: server
ID: GJZC:TO3T:EFPD:XL6Z:XPVL:WYF5:4YKL:35OZ:OP2L:3Z46:WIOT:PFAV
WARNING: No swap limit support
Client docker info
Containers: 0
Images: 33
Server Version: 1.9.1
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 33
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.19.0-42-generic
Operating System: Ubuntu 14.04.3 LTS
CPUs: 2
Total Memory: 4.79 GiB
Name: developer
ID: 7HPR:5JTW:UPXS:WYSV:QODX:YMEL:3S3R:H6KD:WQG5:AQHN:F7U2:3BAL
WARNING: No swap limit support
docker run command on server
docker run -d -p 5000:5000 --restart=always --name dockerRegistry \
-v /var/docker/registry/auth:/auth \
-v /var/docker/registry/data:/var/lib/registry \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /var/docker/registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
Issue report
I as setting up a docker registry on my local server and trying to use a virtual machine within my local network to access it. I copied ca.crt file into the /etc/docker/certs.d/{IP of the server}:5000/ca.crt and is working fine.
Since I will not always be home when I will be using the server so I wanted to try to use the hostname that I newly bought. lets call it www.myhostname.com.
When I try to log in to my docker registry with my host name I get a error.
I copied the ca.crt file from
/etc/docker/certs.d/{Local static IP of the server}:5000/ca.crt
/etc/docker/certs.d/www.myhostname.com:5000/ca.crt
but the console interface still complains that it is not there.
command:
docker login www.myhostname.com:5000
The error from the docker client interface:
Error response from daemon: invalid registry endpoint https://www.myhostname.com:5000/v0/: unable to ping registry endpoint https://www.myhostname.com:5000/v0/
v2 ping attempt failed with error: Get https://www.myhostname.com:5000/v2/: x509: certificate is valid for , not www.myhostname.com
v1 ping attempt failed with error: Get https://www.myhostname.com:5000/v1/_ping: x509: certificate is valid for , not www.myhostname.com. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry www.myhostname.com:5000` to the daemon's arguments. In the case of HTTPS,
if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/www.myhostname.com:5000/ca.crt
logs in docker registry:
time="2016-01-05T22:34:08Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.5.2 instance.id=4c9e1c37-55ba-4bcd-a1d9-a45dd5fb9aa1 version=v2.2.1
time="2016-01-05T22:34:08Z" level=info msg="redis not configured" go.version=go1.5.2 instance.id=4c9e1c37-55ba-4bcd-a1d9-a45dd5fb9aa1 version=v2.2.1
time="2016-01-05T22:34:08Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.5.2 instance.id=4c9e1c37-55ba-4bcd-a1d9-a45dd5fb9aa1 version=v2.2.1
time="2016-01-05T22:34:08Z" level=info msg="Starting upload purge in 58m0s" go.version=go1.5.2 instance.id=4c9e1c37-55ba-4bcd-a1d9-a45dd5fb9aa1 version=v2.2.1
time="2016-01-05T22:34:08Z" level=info msg="listening on [::]:5000, tls" go.version=go1.5.2 instance.id=4c9e1c37-55ba-4bcd-a1d9-a45dd5fb9aa1 version=v2.2.1
#### Here I try to connect with the docker login command above ####
2016/01/05 22:36:27 http: TLS handshake error from 192.168.1.1:53971: remote error: bad certificate
2016/01/05 22:36:27 http: TLS handshake error from 192.168.1.1:53972: remote error: bad certificate
#### Here I successfully login with the static internal IP of the server ####
time="2016-01-05T22:37:06Z" level=warning msg="error authorizing context: basic authentication challenge for realm \"Registry Realm\": invalid authorization credential" go.version=go1.5.2
http.request.host="192.168.1.199:5000" http.request.id=a9d9639b-a3c2-4db9-a4d3-9a385a2b1ffc
http.request.method=GET http.request.remoteaddr="192.168.1.196:53976" http.request.uri="/v2/"
http.request.useragent="docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.19.0-42-generic os/linux arch/amd64" instance.id=4c9e1c37-55ba-4bcd-a1d9-a45dd5fb9aa1 version=v2.2.1
192.168.1.196 - - [05/Jan/2016:22:37:06 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.19.0-42-generic os/linux arch/amd64"
time="2016-01-05T22:37:06Z" level=info msg="response completed" go.version=go1.5.2 http.request.host="192.168.1.199:5000" http.request.id=2789de6c-f50c-4aad-ae30-2ff47a64d100 http.request.method=GET http.request.remoteaddr="192.168.1.196:53977" http.request.uri="/v2/" http.request.useragent="docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.19.0-42-generic os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=12.158762ms http.response.status=200 http.response.written=2 instance.id=4c9e1c37-55ba-4bcd-a1d9-a45dd5fb9aa1 version=v2.2.1
192.168.1.196 - - [05/Jan/2016:22:37:06 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.19.0-42-generic os/linux arch/amd64"
When I try to log in with my external IP
docker login w.x.y.z:5000
I get an error that seems to me that the certificate is registered to the local static ip of the server it self.
x509: certificate is valid for {static IP of the server}, not {external IP of my network}.
I have also tried introducing a config.yml file with the http -> host: https://www.myhostname.com:5000 but that did not change anything.
I am all out of ideas and googling this issue has not returned me any result.
If you need any other information please let me know and I will provide it.
I think this issue is solved. When creating the crt file you get a prompt with coutry code. state etc.
When I reached the common name I entered www.myhostname.com and now. I only get a error on the self signed certificate. I will try tonight to set up a signed certificate to verify that this worked
@sisso19 The error message is quite helpful here -- it indicates that you need to place the CA certificated (this is the cert that was used to sign your domain cert) into /etc/docker/certs.d/www.myhostname.com:5000/ca.crt
Or, you can add the CA for your self-signed cert to the list of trusted CA's for your distro.
