1

I have an HAProxy server that's exposed on the internet. I've used a subdomain such as registry.mydomain.com to create letsencrypt certificates, enabling encrypted connections.

Now, I want to use HAProxy to forward traffic from that URL to some docker swarm on other computers. In that swarm, I am running a Docker Registry, which in turns is asking for such an encryption certificate.

I've tried to reuse the same I got from HAProxy. Unfortunately, when the traffic goes through the HAProxy in to the Docker Registry container, I get that error message:

Error response from daemon: Get https://[swarm-ip]:5000/v1/users/: x509: cannot validate certificate for [swarm-ip] because it doesn't contain any IP SANs

As a programmer trying to do networking stuff, I feel like there's something missing here but I just can't figure it out.

RooSoft
  • 236
  • 2
  • 10

1 Answers1

1

With your letsencrypt certificate, the CN (registry.mydomain.com), will not match the url your are trying to reach ([swarm-ip]).

Two solutions for you, you can either create your own CA to generate your own certificates, and trust it on your haproxy.

Or, you can just tell haproxy not to verify the certificate :

server myserver [swarm-ip]:5000 ssl verify none

With this, traffic will still be encrypted between your haproxy and your backend, but it will not check that the certificate is valid. This mean that you can still be vulnerable to MITM.

If you decide to tell your haproxy not to check your certificate, you can use any certificate you want, even a self-signed one.

Wee
  • 702
  • 4
  • 10