Solve the problem of docker's tls (ssl) certificate expiration

Problem phenomenon:

[root@localhost ~]# docker image pull xxx.com.cn/centos7
Using default tag: latest
Error response from daemon: Get https://xxx.com.cn/v1/_ping: x509: certificate has expired or is not yet valid

Possible cause analysis:

Linux uses date to check the current time and compare it with the validity period of the certificate to get the specific reason, which may be one of the following two:

1. The time of this machine is wrong;

2. The registry's certificate has indeed expired;

Solution:

1. The time of this machine is wrong;

Just modify the local time

2. The registry's certificate has indeed expired;

Create an SSL security exception for the Registry and give up the validity check of the Registry server certificate, but this has security risks.

When insecure registries are enabled, Docker will attempt to connect to https using the following steps:

Try using HTTPS first.

If the HTTPS connection is reachable but the certificate is not available, ignore the certificate error;

If HTTPS connection is not available, HTTP is used.

CentOS Create a daemon configuration file daemon.json in the /etc/docker/ directory, and write the IP address segment of your target registry or the specific service domain name and port number into the json file.

For example, the network segment where my server is located is 10.0.0.0/8. Then the content is as follows:

{
 "insecure-registries" : ["10.0.0.0/8"]
}

You can also use the domain name plus the port number, as shown below:

{
 "insecure-registries" : ["myregistrydomain.com:5000"]
}

For Windows, modify the file C:\ProgramData\docker\config\daemon.json. The format is the same as that of Linux.

Restart the docker service.

Check whether it is effective and pay attention to the Insecure Registries field.

[root@localhost ~]# docker info
 
docker info :
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 2
Server Version: 17.05.0-ce
Storage Driver: overlay
 Backing Filesystem: xfs
 Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
 seccomp
 Profile: default
Kernel Version: 3.10.0-693.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 24
Total Memory: 62.74 GiB
Name: localhost.localdomain
ID: 755F:OEFV:VP3S:BMGQ:VUFW:WGT5:YQHO:EW6T:AAVE:NHS2:TPV3:SBTJ
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 10.0.0.0/8
 127.0.0.0/8
Live Restore Enabled: false

How to Check the Validity Period of a Server Certificate

Take Firefox as an example

Supplement: Replace expired self-signed certificate in Docker private repository

Replacing the Docker registry certificate

The following error is reported when pulling the image:

k8s@master:~/shiyu$ docker pull reg.netlab.com/tensorflow-cpu
Using default tag: latest
Error response from daemon: Get https://reg.netlab.com/v2/: x509: certificate has expired or is not yet valid

Check whether the certificate in /etc/docker/certs has expired

root@master:~# openssl x509 -in /etc/docker/certs.d/reg.netlab.com/reg.netlab.com.crt -noout -dates
notBefore=Apr 1 13:21:22 2019 GMT
notAfter=Mar 31 13:21:22 2020 GMT

Apparently, the self-signed certificate expired on March 31, 2020.

Re-sign a new certificate

Create a ~/certs folder to store keys and private keys

mkdir -p ~/certs

Generate key

cd ~/certs
openssl genrsa -out reg.netlab.com.key 2048

Generate key file

openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.netlab.com.key -x509 -days 365 -out reg.netlab.com.crt

Fill in relevant information

Country Name (2 letter code) [XX]:CN # Your country name State or Province Name (full name) []:guangdong
# Province Locality Name (eg, city) [Default City]:guagnzhou # City Organization Name (eg, company) [Default Company Ltd]:sysu
# Organizational Unit Name (eg, section) []:netlab # Common Name (eg, your name or your server's hostname) []:reg.netlab.com # Email Address []:[email protected]

At this point, the certificate self-signing is completed.

Add the certificate to the docker root certificate and restart docker

Note: Since it is a self-signed certificate, it is not trusted by Docker by default, so you need to add the certificate to the root certificate of Docker. In CentOS 7/Ubuntu 18, the certificate storage path is /etc/docker/certs.d/domain name:

Add the certificate to the docker root certificate

mkdir -p /etc/docker/certs.d/reg.netlab.com
cp ~/certs/reg.netlab.com.crt /etc/docker/certs.d/reg.netlab.com/

Restart Docker

systemctl restart docker

Replace expired certificates in Docker registry containers

View the registry container ID

k8s@master:~$ docker ps |grep registry
3eb5eda4b75e registry.docker-cn.com/library/registry:2 "/entrypoint.sh /etc…" 13 months ago Up 44 minutes 0.0.0.0:443->5000/tcp registry
b84ea71a572f f32a97de94e1 "/entrypoint.sh /etc…" 13 months ago Up About an hour 0.0.0.0:5000->5000/tcp registry_mirror

View the mount path of rigstry according to ID

k8s@master:~$ docker inspect 3eb5eda4b75e
...
"Binds": [
   "/root/certs:/certs",
   "/home/registry:/var/lib/registry"
  ]
...

cp the newly generated certificate to the /root/certs:/certs directory

root@master:~/certs#ll
Total dosage 16
drwxr-xr-x 2 root root 4096 Apr 1 2019 ./
drwx------ 8 root root 4096 May 2 14:06 ../
-rw-r--r-- 1 root root 2126 Apr 1 2019 reg.netlab.com.crt
-rw------ 1 root root 3272 Apr 1 2019 reg.netlab.com.key

Restart the registry container

k8s@master:~$ systemctl restart docker

At this point, the self-signed certificate has been updated!

test

k8s@master:~/shiyu$ docker pull reg.netlab.com/tensorflow-cpu
Using default tag: latest
latest: Pulling from tensorflow-cpu
Digest: sha256:68da50778a5f80e0676c4ca617299444fc71677a2d83cacccaf7a08d08cc1df6
Status: Image is up to date for reg.netlab.com/tensorflow-cpu:latest

The above is my personal experience. I hope it can give you a reference. I also hope that you will support 123WORDPRESS.COM. If there are any mistakes or incomplete considerations, please feel free to correct me.

You may also be interested in:

Shell script to check whether the domain name certificate is expired process analysis
Shell script to generate SSL self-signed certificate
Example of scripting to monitor SSL certificate expiration

<<: Introduction to using the MySQL mysqladmin client

>>: Pure CSS to achieve a single div regular polygon transformation