Origin: Unable to login to docker register with x509 certificate signed by unknown authority error
I installed the OKD by ansible-playbook, and I want to push/pull docker images from another machine with the public docker-registry host, I followed the hint of atomic registry web console:
Log into the registry:
$ sudo docker login -p w4cu5RvMdI1TAaQXshjdtNCgSgPkkopifwKz6F8_1EA -e unused -u unused docker-registry-default.master.openshift.me
Log into OpenShift command line tools:
$ oc login --token w4cu5RvMdI1TAaQXshjdtNCgSgPkkopifwKz6F8_1EA master.openshift.me:8443
but I get a x509: certificate signed by unknown authority error when I executed docker login command.
next I followed this page to add a registry.crt to /etc/docker/cert.d/docker-registry-default.master.openshift.me/:
https://access.redhat.com/solutions/3654811
It still unable to login in.
Moreover why the value of param '-u' is 'unused' ? is that normal ?
Version
openshift v3.11.0+62803d0-1
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO
docker-1.13.1-87.git07f3374.el7.x86_64
Steps To Reproduce
Installed OKD with ansible
$ oc get po,svc,route
NAME READY STATUS RESTARTS AGE
pod/docker-registry-1-ksr45 1/1 Running 2 1h
pod/registry-console-1-h9hch 1/1 Running 2 1h
pod/router-2-jdx6j 1/1 Running 0 30m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/docker-registry ClusterIP 172.30.16.246 <none> 5000/TCP 1h
service/kubernetes ClusterIP 172.30.0.1 <none> 443/TCP,53/UDP,53/TCP 1h
service/registry-console ClusterIP 172.30.4.22 <none> 9000/TCP 1h
service/router ClusterIP 172.30.23.27 <none> 80/TCP,443/TCP,1936/TCP 1h
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/docker-registry docker-registry-default.master.openshift.me docker-registry <all> passthrough None
route.route.openshift.io/registry-console registry-console-default.master.openshift.me registry-console <all> passthrough None
add registry.crt to /etc/docker/cert.d/.........
Current Result
$ sudo docker login -p w4cu5RvMdI1TAaQXshjdtNCgSgPkkopifwKz6F8_1EA -e unused -u unused docker-registry-default.master.openshift.me
Error response from daemon: Get https://docker-registry-default.master.openshift.me/v1/users/: x509: certificate signed by unknown authority
lrx0014
All 7 comments
@lrx0014 did you solve this? Having same issue.. thanks
spock123
on 24 Mar 2019
@spock123
I copied the path /etc/docker/cert.d/docker-registry.default.svc:5000 to /etc/docker/cert.d/docker-registry-default.master.openshift.me
and the docker-registry-default.master.openshift.me is the public address of my openshift docker registry, then the docker login command returned "login success"
lrx0014
on 27 Mar 2019
Thank you, yes I resolved it the same way.
Thanks
On Wed, Mar 27, 2019, 03:29 Renxiang notifications@github.com wrote:
@spock123 https://github.com/spock123
I copied the path /etc/docker/cert.d/docker-registry.default.svc:5000
to /etc/docker/cert.d/docker-registry-default.master.openshift.me
http://docker-registry-default.master.openshift.meand the docker-registry-default.master.openshift.me
http://docker-registry-default.master.openshift.me is the public
address of my openshift docker registry, then the docker login command
returned "login success"—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/origin/issues/21691#issuecomment-476940593,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABNWdEdDtsCbc5NFOKGg7fHXVbaq9Zs2ks5vateHgaJpZM4Zbou6
.
spock123
on 27 Mar 2019
@spock123
I copied the path /etc/docker/cert.d/docker-registry.default.svc:5000 to /etc/docker/cert.d/docker-registry-default.master.openshift.meand the docker-registry-default.master.openshift.me is the public address of my openshift docker registry, then the docker login command returned "login success"
Sorry, I'm having the same issue. I still dont understand. What did you actually do?
Copy the certificate to docker-registry-default.master.openshift.me ?
gielvandanu
on 8 Apr 2019
@gielvandanu
First you generate a certificate on the registry (modify to use your service/server names instead of mine:)
In the following my registry service is at registry.testcloud.oresundsbron and the host of the registry is njord.oresundsbron.com
oc adm ca create-server-cert \
--signer-cert=/etc/origin/master/ca.crt \
--signer-key=/etc/origin/master/ca.key \
--signer-serial=/etc/origin/master/ca.serial.txt \
--hostnames='registry.testcloud.oresundsbron.com,njord.oresundsbron.com, docker-registry-default.testcloud.oresundsbron.com, 10.49.1.12' \
--cert=/etc/secrets/registry.crt \
--key=/etc/secrets/registry.key
Then you copy generated certificate file /etc/origin/master/ca.crt to your docker client machine at /etc/docker/certs.d/docker-registry-default.testcloud.oresundsbron.com
Restart docker service on the client machine so the new certificate is registered
Get a token from the registry:
oc login
oc whoami -t
Now login to your registry from the client machine:
docker login -u <your-oc-login-name> -p <token-from-whoami> docker-registry-default.testcloud.oresundsbron.com
Hope this helps.. if you ask me it's a mess
spock123
on 8 Apr 2019
@spock123 thank you. it works!!
gielvandanu
on 8 Apr 2019
@gielvandanu that's great to hear! Super!!!
spock123
on 8 Apr 2019
Related issues
thescouser89
·
3Comments
guangxuli
·
4Comments
enj
·
4Comments
akram
·
3Comments
nicolaferraro
·
3Comments