Disclaimer: Don't do this in production. :D
I have found myself needing to have my own registry so that I could see its internal debug log. It's easy enough to spin up a registry locally and use it with loopback and the --insecure-registry flag -- but I want to use TLS. And I want to use a self-signed cert. And I want to use an IP address instead of a hostname. And I want a pony (j/k, a kitten. j/k, 3 kittens).
The doc that I found didn't tell me about the /etc/docker/certs.d/<host>:<port>/ part of all this. And it was a pain for me to get the IP SAN working (not going to explain the embarrassing mistake I made there).
So here is my dirty dirty cheat sheet for next time:
create a cert with an IP SAN (Subject Alternative Name, not Storage Area Network):
$ cp /etc/pki/tls/openssl.cnf . # location may vary
$ vi openssl.cnf
# uncomment
req_extensions = v3_req
# Modify the v3_req section as follows:
[ v3_req ]
subjectAltName = @alt_names
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[alt_names]
IP.1 = 192.168.1.2
IP.2 = 10.53.10.1
--
For just one IP, you can simply use
subjectAltName =IP: 10.53.10.1
(removing the alt_names section)
--
# then run:
$ openssl req -x509 -nodes -days 730 -newkey rsa:4096 -keyout certs-dir/domain.key -out certs-dir/domain.crt -config openssl.cnf -sha256
(If that doesn't work, add `-extensions v3_req`)
--
# [optional sanity-check] confirm IPs in cert:
openssl x509 -text -in certs-dir/domain.crt -noout | grep "IP Address"
# run docker and bind-mount in the cert + key:
docker run -dit -p 5000:5000 --name registry -v `pwd`/certs-dir/:/certs -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" registry:2
export DOMAIN_NAME=192.168.1.2
# load the cert system-wide:
openssl s_client -connect $DOMAIN_NAME:5000 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /etc/pki/ca-trust/source/anchors/$DOMAIN_NAME.crt
$ sudo update-ca-trust
# load the cert into docker's config:
$ mkdir -p /etc/docker/certs.d/$DOMAIN_NAME:5000
$ openssl s_client -connect $DOMAIN_NAME:5000 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /etc/docker/certs.d/$DOMAIN_NAME:5000/ca.crt
$ sudo /bin/systemctl restart docker.service
# verify again
openssl x509 -text -in /etc/pki/ca-trust/source/anchors/$DOMAIN_NAME.crt -noout | grep "IP Addr"
$ docker start registry
$ docker push $DOMAIN_NAME:5000/hello-world
--
