cert-manager & docker-registry unknown authority

Created on 30 Apr 2019  路  7Comments  路  Source: jetstack/cert-manager

Using cert-manager, docker-registry and NGINX in Kubernetes.

Created CA according to:
https://docs.cert-manager.io/en/latest/tasks/issuers/setup-ca.html

Setting up self signing Issuers according to:
https://docs.cert-manager.io/en/latest/tasks/issuers/setup-selfsigned.html

Certificates issued for my domainname.

Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CertIssued 1m (x174857 over 19h) cert-manager Certificate issued successfully

Status:
Conditions:
Last Transition Time: 2019-04-30T06:01:19Z
Message: Signing CA verified
Reason: KeyPairVerified
Status: True
Type: Ready

The NGINX ingress annotations for the docker-registry are updated:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: "0"
certmanager.k8s.io/issuer: ca-issuer
kubernetes.io/tls-acme: "true"

When trying to access the docker-registry:

from POD within the cluster:
Docker login:

Error response from daemon: Get https://registry.example.com/v1/users/: x509: certificate signed by unknown authority

From my laptop:
Error response from daemon: Get https://registry.example.com/v2/: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"

Any ideas?

lifecyclrotten
Source
picture emichaf

Most helpful comment

I have the same problem.

Docker login:

Error response from daemon: Get https://registry.example.com/v2/: x509: certificate is valid for ingress.local, not registry.example.com

When you try to search, the following URL:
https://luhaoyuan.com/archives/84

It would have worked if added to args of nginx-ingress-controller, but it remains an error.
extraArgs:
default-ssl-certificate: default/registry.example.com-tls

thank you

I've got the same issue, and i don't want to use the --insecure-repositories, did you fix it? if yes how? Thanks

picture k-ayache on 23 Dec 2019
👍5

All 7 comments

I have the same problem.

Docker login:

Error response from daemon: Get https://registry.example.com/v2/: x509: certificate is valid for ingress.local, not registry.example.com

When you try to search, the following URL:
https://luhaoyuan.com/archives/84

It would have worked if added to args of nginx-ingress-controller, but it remains an error.
extraArgs:
default-ssl-certificate: default/registry.example.com-tls

thank you

terunoly picture terunoly on 17 May 2019
👍1

solved.

https://github.com/docker/distribution/issues/1874#issuecomment-237194314

The following settings have been made on the host where Docker is running.

  1. Create or modify /etc/docker/daemon.json
    {"insecure-registries": ["registry.example.com"]}
  2. Restart docker daemon
    sudo service docker restart

thank you

terunoly picture terunoly on 17 May 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

retest-bot picture retest-bot on 15 Aug 2019

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

retest-bot picture retest-bot on 14 Sep 2019

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

retest-bot picture retest-bot on 14 Oct 2019

@retest-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot picture jetstack-bot on 14 Oct 2019

I have the same problem.

Docker login:

Error response from daemon: Get https://registry.example.com/v2/: x509: certificate is valid for ingress.local, not registry.example.com

When you try to search, the following URL:
https://luhaoyuan.com/archives/84

It would have worked if added to args of nginx-ingress-controller, but it remains an error.
extraArgs:
default-ssl-certificate: default/registry.example.com-tls

thank you

I've got the same issue, and i don't want to use the --insecure-repositories, did you fix it? if yes how? Thanks

k-ayache picture k-ayache on 23 Dec 2019
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kragniz picture kragniz  路  4Comments
jbouzekri picture jbouzekri  路  4Comments
jbeda picture jbeda  路  4Comments
f-f picture f-f  路  4Comments
Stono picture Stono  路  3Comments