I am using Artifactory backed up by nginx as the proxy server. The nginx load balancer is configured with SSL certs from a trusted authority. I created a local docker repo and need to push images but get the following error:
unable to ping registry endpoint https://myArtifactory.com/v0/
v2 ping attempt failed with error: Get https://myArtifactory.com/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://myArtifactory.com/v1/_ping: x509: certificate signed by unknown authority
I am using the following command to push images
docker push myArtifactory.com/ubuntu
Fixed this bya dding the certificate to the docker client under /etc/docker/certs.d
Related
I created a user in the Master.
First I created a key and certificate for him: dan.key and dan.crt
Then I created it inside Kubernetes:
kubectl config set-credentials dan \
--client-certificate=/tmp/dan.crt \
--client-key=/tmp/dan.key
This is the ~/.kube/config:
users:
- name: dan
user:
as-user-extra: {}
client-certificate: /tmp/dan.crt
client-key: /tmp/dan.key
I want to be able to run commands from a remote worker as the user I created.
I know how to do it with service account token:
kubectl --server=https://192.168.0.13:6443 --insecure-skip-tls-verify=true --token="<service_account_token>" get pods
I copied the certifiacte and the key to the remote worker and ran:
[workernode tmp]$ kubectl --server=https://192.168.0.13:6443 --client-certificate=/tmp/dan.crt --client-key=/tmp/dan.key get pods
Unable to connect to the server: x509: certificate signed by unknown authority
I followed this question:
kubectl unable to connect to server: x509: certificate signed by unknown authority
I tried like he wrote:
kubectl proxy --address 0.0.0.0 --accept-hosts '.*'
But I am still receiving:
Unable to connect to the server: x509: certificate signed by unknown authority
I copied the certifiacte and the key to the remote worker and ran:
[workernode tmp]$ kubectl --server=https://192.168.0.13:6443 --client-certificate=/tmp/dan.crt --client-key=/tmp/dan.key get pods
Unable to connect to the server: x509: certificate signed by unknown authority
You were missing the critical piece of data telling kubectl how to trust the https: part of that request, namely --certificate-authority=/path/to/kubernetes/ca.pem
You didn't encounter that error while using --token=... because of the --insecure-skip-tls-verify=true which you should definitely, definitely not do.
I tried like he wrote:
kubectl proxy --address 0.0.0.0 --accept-hosts '.*'
But I am still receiving:
You have followed the wrong piece of advice from whatever article you were reading; that --accept-hosts flag only controls the remote hostnames from which kubectl proxy will accept connections, and has zero to do with SSL anythings.
I am having a trouble related with SSL certificates.
I have a server running service in a docker container, I installed Caddy and get the SSL certificate for the site. Now, from other server I want to consume the service with HTTPS, but I get:
x509: certificate signed by unknown authority exit status 1
And, it seems to be a common issue when using docker + SSL. What should I do? thanks
Install the ca-certificates package.
I have installed DockerToolbox-1.12.0.exe on Windows 7. The corporate proxy provides its own certificate to do MITM.
I have configured boot2docker to use the proxy by exporting environment variables in .profile.
I am still not able to do
docker run hello-world
as i am getting - docker: Error while pulling image: Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority.
Please anyone help.
We have created a private docker registry in artifactory.
Our artifactory is a standalone installation and have Nginx as a webserver.
SSL certificates are trusted and works fine.
on docker client, I have copied the ca.crt to /etc/docker/certs.d/:5001/
while am trying to login or push images from my docker client i see below error.
[root#cds-dev-test ~]# docker login artifactory.host:5001
Username: raj
Password:
Email: raj#gmail.com
Error response from daemon: invalid registry endpoint
https://artifactory.host:5001/v0/: unable to ping registry endpoint
v2 ping attempt failed with error: Get https://artifactory.host:5001/v2/: Tunnel Connection Failed
v1 ping attempt failed with error: Get artifactory.host:5001/v1/_ping: Tunnel Connection Failed. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry artifactory.host:5001 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/artifactory.host:5001/ca.crt
my docker version is 1.9.1 and artifactory versioin 4.4.3.
It works when i use --insecure-registry option but not the secure way. We have all trusted certs in place, still see the error.
I have tried using proxy settings on docker client and also without proxy... always the same error.
Any help guys?
I figured it out.
I have proxy settings under my docker deamon. I have added No_Proxy and it works fine.
FYI....
so people if you are using trusted CA cert, and your network is behind proxy, make sure your docker services file doesnt have proxy settings, if it does add No-proxy=artifactory.host.
/etc/systemd/system/docker.service.d/http-proxy.conf
Thanks
so I am working behind a corporate Proxy that uses it's own, self-signed certificates.
What I did was editing ~/.curlc so that it is configured to use my proxy, as well as setting the environment variables http_proxy and https_proxy.
Then I installed the proxy's ca certificate by moving it into \etc\ssl\certs and creating the link to its hash via ln -s my_ca.pem `openssl x509 -hash -noout -in my_ca.pem`.0.
So now I can curl and wget and everything works fine.
Next I created the directory /etc/systemd/system/docker.service.d and created a new file in it called http-proxy.conf:
[Service]
Environment= "HTTP_PROXY=http://user:pass#proxy.corp.net:3128/" "HTTPS_PROXY=https://user:pass#proxy.corp.net:3128/"
After doing that docker search works as it should but I still cannot pull a container from the official registry.
systemctl status docker tells me: Download failed, retrying: x509: certificate signed by unknown authority
So I really don't know what else I can do for it to work. Maybe anybody on here has an idea?
EDIT
The full output of a docker pull call when running the docker daemon in debug mode:
DEBU[0092] Calling GET /v1.22/info
DEBU[0092] GET /v1.22/info
DEBU[0092] Calling POST /v1.22/images/create
DEBU[0092] POST /v1.22/images/create?fromImage=httpd%3Alatest
DEBU[0092] Trying to pull httpd from https://registry-1.docker.io v2
DEBU[0093] Increasing token expiration to: 0 seconds
DEBU[0094] Pulling ref from V2 registry: httpd:latest
DEBU[0094] pulling blob "sha256:7268d8f794c449e593d3a48f62e7e22b7c3a4b6e615caaf9494ec3cb2d48f503"
DEBU[0094] pulling blob "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
DEBU[0094] pulling blob "sha256:5d77cae53716e669a240114fc676b26cb052cb325078c869f884cab8a658be17"
ERRO[0095] Download failed, retrying: x509: certificate signed by unknown authority
ERRO[0095] Download failed, retrying: x509: certificate signed by unknown authority
ERRO[0095] Download failed, retrying: x509: certificate signed by unknown authority
...