0

I have installed Nexus-3.15.2-01 on CentOS-7.6, Nginx reverse proxy and SSL self-signed certificate configured to access over Https. https access working fine over browser.

Nexus Docker private repository https method activated.

From my docker host, when I tried to pull the docker images from my nexus private docker hub server, it failing with below.

docker pull 101.102.103.104:5051/docker-image-14:1
Error response from daemon: Get https:// 101.102.103.104:5051/v2/: x509: cannot validate certificate for 101.102.103.104 because it doesn't contain any IP SANs

I have moved my nexus.crt file to docker host /etc/docker/certs.d/101.102.103.104:5051/ location. Still not working.

user4948798
  • 1,924
  • 4
  • 43
  • 89

1 Answers1

0

On the Docker registry the certificate has to be compiled with the subjectAltName as described in the documentation:

You can try creating the certificate like this:

openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=101.102.103.104" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:101.102.103.104,IP:101.102.103.104,IP:127.0.0.1 >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

You can then verify whether the subject alternative name (SAN) is present in the certificate using the following command:

openssl x509 -in server-cert.pem -text -noout

Now try again to pull. Do not forget to put the new cert to /etc/docker/certs.d/101.102.103.104:5051/
If after this you get a new error x509: certificate signed by unknown authority
In /etc/default/docker, you need to specify the docker options: DOCKER_OPTS="--insecure-registry 101.102.103.104:5051"

Then restart the daemon (add sudo if you user is not allowed to start a docker service):

$ [sudo] service docker restart

Akshay Shah
  • 704
  • 4
  • 11
  • Tried openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf on my nexus server. getting server.csr: No such file or directory error. Should i create it manually? – user4948798 Apr 09 '19 at 09:32
  • Ok, So i need to perform the above commands on my docker host? – user4948798 Apr 09 '19 at 10:12
  • @Kishore I have edited my answer you can directly copy paste commands to create the certificate and everything will be created. Let me know if it works – Akshay Shah Apr 09 '19 at 10:13
  • You can create the certificate anywhere you like but it needs to be present on your nexus server and you should configure your nginx to use these certificates (just see the path in the conf and replace that file with the new certificate with the SAN) – Akshay Shah Apr 09 '19 at 10:14
  • i have tried the below. 1. On my Nexus Server executed above given commands & updated the nginx configuration. 2. On my docker host created (/etc/docker/certs.d/101.102.103.104:5051/) folder and copied all generated certificate files. 3. Added "insecure-registries" : [ "101.102.103.104:5051" ], in /etc/docker/daemon.json file. 4. Restarted the docker service. 5. docker pull 101.102.103.104:5051/docker-image-14:1 Able to pull the image from my nexus server. – user4948798 Apr 09 '19 at 10:47
  • Yes working fine. One question on nexus created docker repository and assigned http protocol. Should I change this to https and check? – user4948798 Apr 09 '19 at 12:13
  • Because you have added `"insecure-registries" : [ "101.102.103.104:5051" ],` in `/etc/docker/daemon.json` file, it is using http and not using the https certificates anyway so to verify whether your original question is solved you need to try with https and removing the insecure registries entry. – Akshay Shah Apr 09 '19 at 12:22
  • Ok. For production environment I want to go with https. I will check the same and update you. Thanks for continue support. – user4948798 Apr 09 '19 at 12:51
  • Now on nexus docker repository enabled https and assigned 5054 port and remvoed insecure-registries. Tried on docker host. docker login -u admin 101.102.103.104 Error response from daemon: Get https://101.102.103.104/v2/: x509: certificate signed by unknown authority – user4948798 Apr 10 '19 at 09:46
  • Is there any proxy in between, if yes you also need to install it's certificates in docker's certs.d. Also are you sure the IP SANs are set correctly (You can check it by `openssl x509 -in server-cert.pem -text -noout`). – Akshay Shah Apr 10 '19 at 10:02
  • Actually there is no proxy between my nexus & Docker host. openssl x509 -in server-cert.pem -text –noout command working on my docker host. – user4948798 Apr 10 '19 at 10:13