Solve the problem of docker's tls (ssl) certificate expiration
Problem phenomenon:
Possible cause analysis:Linux uses date to check the current time and compare it with the validity period of the certificate to get the specific reason, which may be one of the following two: 1. The time of this machine is wrong; 2. The registry's certificate has indeed expired; Solution:1. The time of this machine is wrong;Just modify the local time 2. The registry's certificate has indeed expired;Create an SSL security exception for the Registry and give up the validity check of the Registry server certificate, but this has security risks. When insecure registries are enabled, Docker will attempt to connect to https using the following steps: Try using HTTPS first. If the HTTPS connection is reachable but the certificate is not available, ignore the certificate error; If HTTPS connection is not available, HTTP is used. CentOS Create a daemon configuration file daemon.json in the /etc/docker/ directory, and write the IP address segment of your target registry or the specific service domain name and port number into the json file. For example, the network segment where my server is located is 10.0.0.0/8. Then the content is as follows:
{
"insecure-registries" : ["10.0.0.0/8"]
}
You can also use the domain name plus the port number, as shown below:
{
"insecure-registries" : ["myregistrydomain.com:5000"]
}For Windows, modify the file C:\ProgramData\docker\config\daemon.json. The format is the same as that of Linux. Restart the docker service. Check whether it is effective and pay attention to the Insecure Registries field. [root@localhost ~]# docker info docker info : Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 2 Server Version: 17.05.0-ce Storage Driver: overlay Backing Filesystem: xfs Supports d_type: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 9048e5e50717ea4497b757314bad98ea3763c145 runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228 init version: 949e6fa Security Options: seccomp Profile: default Kernel Version: 3.10.0-693.el7.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 24 Total Memory: 62.74 GiB Name: localhost.localdomain ID: 755F:OEFV:VP3S:BMGQ:VUFW:WGT5:YQHO:EW6T:AAVE:NHS2:TPV3:SBTJ Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 10.0.0.0/8 127.0.0.0/8 Live Restore Enabled: false How to Check the Validity Period of a Server CertificateTake Firefox as an example
Supplement: Replace expired self-signed certificate in Docker private repository Replacing the Docker registry certificateThe following error is reported when pulling the image: k8s@master:~/shiyu$ docker pull reg.netlab.com/tensorflow-cpu Using default tag: latest Error response from daemon: Get https://reg.netlab.com/v2/: x509: certificate has expired or is not yet valid Check whether the certificate in /etc/docker/certs has expiredroot@master:~# openssl x509 -in /etc/docker/certs.d/reg.netlab.com/reg.netlab.com.crt -noout -dates notBefore=Apr 1 13:21:22 2019 GMT notAfter=Mar 31 13:21:22 2020 GMT Apparently, the self-signed certificate expired on March 31, 2020. Re-sign a new certificateCreate a ~/certs folder to store keys and private keys mkdir -p ~/certs Generate key cd ~/certs openssl genrsa -out reg.netlab.com.key 2048 Generate key file openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.netlab.com.key -x509 -days 365 -out reg.netlab.com.crt Fill in relevant information Country Name (2 letter code) [XX]:CN # Your country name State or Province Name (full name) []:guangdong # Province Locality Name (eg, city) [Default City]:guagnzhou # City Organization Name (eg, company) [Default Company Ltd]:sysu # Organizational Unit Name (eg, section) []:netlab # Common Name (eg, your name or your server's hostname) []:reg.netlab.com # Email Address []:[email protected] At this point, the certificate self-signing is completed. Add the certificate to the docker root certificate and restart dockerNote: Since it is a self-signed certificate, it is not trusted by Docker by default, so you need to add the certificate to the root certificate of Docker. In CentOS 7/Ubuntu 18, the certificate storage path is /etc/docker/certs.d/domain name: Add the certificate to the docker root certificate mkdir -p /etc/docker/certs.d/reg.netlab.com cp ~/certs/reg.netlab.com.crt /etc/docker/certs.d/reg.netlab.com/ Restart Docker systemctl restart docker Replace expired certificates in Docker registry containers View the registry container ID k8s@master:~$ docker ps |grep registry 3eb5eda4b75e registry.docker-cn.com/library/registry:2 "/entrypoint.sh /etc…" 13 months ago Up 44 minutes 0.0.0.0:443->5000/tcp registry b84ea71a572f f32a97de94e1 "/entrypoint.sh /etc…" 13 months ago Up About an hour 0.0.0.0:5000->5000/tcp registry_mirror View the mount path of rigstry according to ID k8s@master:~$ docker inspect 3eb5eda4b75e ... "Binds": [ "/root/certs:/certs", "/home/registry:/var/lib/registry" ] ... cp the newly generated certificate to the /root/certs:/certs directory root@master:~/certs#ll Total dosage 16 drwxr-xr-x 2 root root 4096 Apr 1 2019 ./ drwx------ 8 root root 4096 May 2 14:06 ../ -rw-r--r-- 1 root root 2126 Apr 1 2019 reg.netlab.com.crt -rw------ 1 root root 3272 Apr 1 2019 reg.netlab.com.key Restart the registry container k8s@master:~$ systemctl restart docker At this point, the self-signed certificate has been updated! testk8s@master:~/shiyu$ docker pull reg.netlab.com/tensorflow-cpu Using default tag: latest latest: Pulling from tensorflow-cpu Digest: sha256:68da50778a5f80e0676c4ca617299444fc71677a2d83cacccaf7a08d08cc1df6 Status: Image is up to date for reg.netlab.com/tensorflow-cpu:latest The above is my personal experience. I hope it can give you a reference. I also hope that you will support 123WORDPRESS.COM. If there are any mistakes or incomplete considerations, please feel free to correct me. You may also be interested in:
|
<<: Introduction to using the MySQL mysqladmin client
>>: Pure CSS to achieve a single div regular polygon transformation
Recommend
Detailed steps for using jib for docker deployment in Spring Cloud
Introduction to Jib Jib is a library developed by...
Implementation of removing overlapping time and calculating time difference in MySQL
Table of contents need: drive: Ideas: accomplish:...
MySQL password modification example detailed explanation
MySQL password modification example detailed expl...
How to use docker compose to build fastDFS file server
The previous article introduced a detailed exampl...
Design sharing of the download page of the Pengyou.com mobile client (picture and text)
Let's first look at some simple data: Accordin...
A brief discussion on the Linux kernel's support for floating-point operations
Currently, most CPUs support floating-point units...
Basic knowledge of load balancing and a simple example of load balancing using nginx
Nginx can generally be used for seven-layer load ...
About the problem of running git programs in jenkins deployed by docker
1. First, an error message is reported when assoc...
Using js to achieve the effect of carousel
Today, let's talk about how to use js to achi...
Install and configure ssh in CentOS7
1. Install openssh-server yum install -y openssl ...
How to convert JavaScript array into tree structure
1. Demand The backend provides such data for the ...
PHP scheduled backup MySQL and mysqldump syntax parameters detailed
First, let's introduce several common operati...
Detailed explanation of MySQL master-slave replication read-write separation construction
MySQL master-slave setup MySQL master-slave repli...
Docker setting windows storage path operation
When installing Docker on Windows 10, after selec...
Some basic instructions of docker
Table of contents Some basic instructions 1. Chec...