{"id":768,"date":"2023-04-09T00:51:03","date_gmt":"2023-04-08T16:51:03","guid":{"rendered":"https:\/\/www.orztip.com\/?p=768&article_title="},"modified":"2023-04-09T00:51:45","modified_gmt":"2023-04-08T16:51:45","slug":"docker-registry-self-sign-cert-error-tls-bad-certificate","status":"publish","type":"post","link":"https:\/\/www.orztip.com\/?p=768&article_title=docker-registry-self-sign-cert-error-tls-bad-certificate","title":{"rendered":"Docker Registry\u4f7f\u7528\u81ea\u7b7e\u540d\u8bc1\u4e66\u540e\u603b\u63d0\u793a\u201ctls: bad certificate\u201d\u7684\u6392\u9664\u624b\u6cd5\u548c\u89e3\u51b3\u65b9\u6848"},"content":{"rendered":"\n

\u5047\u8bbe\u7684\u590d\u73b0\u73af\u5883\uff1a<\/strong><\/p>\n\n\n\n

A\u670d\u52a1\u5668\uff1aip\u4e3a192.168.1.1\uff0cDocker Registry\u57df\u540d\u548c\u7aef\u53e3\u4e3adocker-registry.orztip.internal:9933<\/p>\n\n\n\n

B\u670d\u52a1\u5668\uff1aip\u4e3a192.168.1.2<\/p>\n\n\n\n

\u4ee5\u4e0a\u670d\u52a1\u5668\u7684docker\u4f7f\u7528rootless\u6a21\u5f0f\u8fd0\u884c\uff0c\u8fd0\u884cdocker rootless\u7684\u7528\u6237\u540d\u4e3ademo\u3002<\/p>\n\n\n\n

\uff08\u5907\u6ce8\uff1a\u4ee5\u4e0b\u5185\u5bb9\u4e5f\u9002\u7528\u4e8e\u6392\u67e5docker\u4f7f\u7528\u5e38\u89c4root\u6a21\u5f0f\u8fd0\u884c\u7684\u95ee\u9898\uff09<\/p>\n\n\n\n

docker\u914d\u7f6e\u76ee\u5f55\u4e0b\u5df2\u7ecf\u653e\u7f6e\u81ea\u7b7e\u540d\u8bc1\u4e66ca\u6587\u4ef6\uff0c\u5373\u6587\u4ef6\u5728\u201c\u3010docker\u914d\u7f6e\u76ee\u5f55\u3011\/certs.d\/docker-registry.orztip.internal:9933\/ca.crt\u201d\u3002<\/p>\n\n\n\n

<\/p>\n\n\n\n

\u73b0\u8c61\uff1a<\/strong><\/p>\n\n\n\n

A\u670d\u52a1\u5668\u4f7f\u7528\u81ea\u7b7e\u540d\u8bc1\u4e66\u642d\u5efa\u4e86\u4e00\u4e2aDocker Registry\uff0c\u7136\u540eB\u670d\u52a1\u5668\u5411A\u670d\u52a1\u5668\u4f7f\u7528docker pull\u62c9\u53d6\u955c\u50cf\u65f6\u603b\u51fa\u73b0\u8fde\u63a5\u4e0d\u4e0a\u3001\u6216\u8005\u5176\u4ed6\u9519\u8bef\uff08\u6bd4\u5982mirror docker hub\u65f6A\u670d\u52a1\u5668\u5e76\u6ca1\u6709\u62c9\u53d6\u955c\u50cf\u7f13\u5b58\u4e0b\u6765\uff09\u3002<\/p>\n\n\n\n

\u6b64\u65f6A\u670d\u52a1\u5668\u67e5\u770bdocker logs\u65f6\u4f1a\u6709\u5982\u4e0b\u62a5\u9519\uff1a<\/p>\n\n\n\n

registry-mirror_1  | 2023\/01\/25 15:17:22 http: TLS handshake error from 192.168.1.2:59725: remote error: tls: bad certificate<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u6392\u67e5\uff1a<\/strong><\/p>\n\n\n\n
\u4ee5\u4e0b\u5747\u5728B\u670d\u52a1\u5668\u4e0a\u64cd\u4f5c\u3002<\/p>\n\n\n\n
\u5f00\u542fdocker\u8c03\u8bd5\u6a21\u5f0f\u548c\u8be6\u7ec6\u65e5\u5fd7\uff0c\u89c1\uff1a\u300a\u5982\u4f55\u5f00\u542fdocker\u7684\u8c03\u8bd5\u6a21\u5f0f\u548c\u8be6\u7ec6\u65e5\u5fd7\u8f93\u51fa\u300b\uff1ahttps:\/\/www.orztip.com\/?p=761&article_title=docker-debug-mode-and-verbose-log<\/a><\/p>\n\n\n\n
\u91cd\u542fdocker\u540e\uff0c\u518d\u6b21\u5c1d\u8bd5\u8fd0\u884cdocker pull\u52a8\u4f5c\uff0c\u7136\u540e\u5230\/var\/log\/syslog\u6216\u8005\/var\/log\/messages\u67e5\u627e\u65e5\u5fd7\uff0c\u6b64\u65f6\u4f1a\u770b\u5230\u5982\u4e0b\u65e5\u5fd7\uff1a<\/p>\n\n\n\n
Jan 26 00:12:38 B\u670d\u52a1\u5668 dockerd-rootless.sh[3291]: time=\"2023-01-26T00:12:38.689846619+08:00\" level=debug msg=\"hostDir: \/home\/demo\/.config\/docker\/certs.d\/docker-registry.orztip.internal:9933\"\r\nJan 26 00:12:38 B\u670d\u52a1\u5668 dockerd-rootless.sh[3291]: time=\"2023-01-26T00:12:38.689930920+08:00\" level=debug msg=\"crt: \/home\/demo\/.config\/docker\/certs.d\/docker-registry.orztip.internal:9933\/ca.crt\"\r\nJan 26 00:12:38 B\u670d\u52a1\u5668 dockerd-rootless.sh[3291]: time=\"2023-01-26T00:12:38.689998990+08:00\" level=debug msg=\"Trying to pull ubuntu from https:\/\/docker-registry.orztip.internal:9933\/ v2\"\r\nJan 26 00:12:38 B\u670d\u52a1\u5668 dockerd-rootless.sh[3291]: time=\"2023-01-26T00:12:38.695741621+08:00\" level=warning msg=\"Error getting v2 registry: Get \\\"https:\/\/docker-registry.orztip.internal:9933\/v2\/\\\": x509: certificate relies on legacy Common Name field, use SANs instead\"\r\nJan 26 00:12:38 B\u670d\u52a1\u5668 dockerd-rootless.sh[3291]: time=\"2023-01-26T00:12:38.695776571+08:00\" level=info msg=\"Attempting next endpoint for pull after error: Get \\\"https:\/\/docker-registry.orztip.internal:9933\/v2\/\\\": x509: certificate relies on legacy Common Name field, use SANs instead\"\r\nJan 26 00:12:38 B\u670d\u52a1\u5668 dockerd-rootless.sh[3291]: time=\"2023-01-26T00:12:38.695807201+08:00\" level=debug msg=\"Trying to pull ubuntu from https:\/\/registry-1.docker.io v2\"\r\nJan 26 00:12:42 B\u670d\u52a1\u5668 dockerd-rootless.sh[3291]: time=\"2023-01-26T00:12:42.218347552+08:00\" level=debug msg=\"Fetching manifest from remote\" digest=\"sha256:0e0402cd13f68137edb0266e1d2c682f217814420f2d43d300ed8f65479b14fb\" error=\"context canceled\" remote=\"docker.io\/library\/ubuntu:20.04\"\r<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u6545\u969c\u6700\u7ec8\u539f\u56e0\uff1a<\/strong><\/p>\n\n\n\n
\u65e5\u5fd7\u4e2d\u5b58\u5728\u201c x509: certificate relies on legacy Common Name field, use SANs instead\u201d\u3002<\/p>\n\n\n\n
\u987a\u7740\u6392\u67e5\u624d\u77e5\u9053\uff0c\u539f\u6765Go 1.15\u5f00\u59cb\u5e9f\u5f03X.509 CommonName\u30101\u3011\u30102\u3011\uff0c\u90a3\u4e48\u4f7f\u7528Go\u8bed\u8a00\u7f16\u5199\u7684docker\u81ea\u7136\u4e5f\u4e0d\u8ba4\u5b57\u6bb5CN\uff08Common Name\uff09\uff0c\u5fc5\u987b\u4f7f\u7528X.509\u7684\u6269\u5c55\u5b57\u6bb5SANs\uff08Subject Alternate Names\uff09\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u89e3\u51b3\uff1a<\/strong><\/p>\n\n\n\n
\u91cd\u65b0\u751f\u6210\u5e26\u6269\u5c55\u5b57\u6bb5SANs\uff08Subject Alternate Names\uff09\u7684\u81ea\u7b7e\u540d\u8bc1\u4e66\u3002<\/p>\n\n\n\n
\u53c2\u89c1docker registry\u7684\u6587\u6863\uff0c\u4f7f\u7528openssl\u7684\u547d\u4ee4\u884c\u5982\u4e0b\uff08\u6ce8\u610fCommon Name\u4ecd\u7136\u8981\u624b\u52a8\u8f93\u5165\uff0c\u5185\u5bb9\u548csubjectAltName\u4e00\u6837\u7684\u57df\u540d\uff09\uff1a<\/p>\n\n\n\n
openssl req \\\r\n  -newkey rsa:4096 -nodes -sha256 -keyout domain.key \\\r\n  -addext \"subjectAltName = DNS:docker-registry.orztip.internal\" \\\r\n  -x509 -days 3650 -out domain.crt\r<\/code><\/pre>\n\n\n\n
\u8f93\u51fa\u793a\u4f8b\uff1a<\/p>\n\n\n\n
\r\ndemo@A\u670d\u52a1\u5668: $ openssl req \\\r\n  -newkey rsa:4096 -nodes -sha256 -keyout domain.key \\\r\n  -addext \"subjectAltName = DNS:docker-registry.orztip.internal\" \\\r\n  -x509 -days 3650 -out domain.crt\r\n\r\n\r\nGenerating a RSA private key\r\n.......................................................++++\r\n..............................................................................++++\r\nwriting new private key to 'domain.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [AU]:\r\nState or Province Name (full name) [Some-State]:\r\nLocality Name (eg, city) []:\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:\r\nOrganizational Unit Name (eg, section) []:\r\nCommon Name (e.g. server FQDN or YOUR name) []:docker-registry.orztip.internal\r\nEmail Address []:\r<\/code><\/pre>\n\n\n\n
\u9a8c\u8bc1\u8bc1\u4e66\u662f\u5426\u5e26SANs\u6269\u5c55\u5b57\u6bb5\uff0cCN\u5b57\u6bb5\u662f\u5426\u548cSANs\u6269\u5c55\u5b57\u6bb5\u4e2d\u7684\u57df\u540d\u662f\u5426\u4e00\u81f4\uff1a<\/p>\n\n\n\n
openssl x509 -in  domain.crt  -text -noout<\/code><\/pre>\n\n\n\n
\u793a\u4f8b\uff1a<\/p>\n\n\n\n
\r\ndemo@A\u670d\u52a1\u5668$ openssl x509 -in  domain.crt -text -noout\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number:\r\n            [\u7565]\r\n        Signature Algorithm: sha256WithRSAEncryption\r\n        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = docker-registry.orztip.internal\r\n        Validity\r\n            Not Before: Jan 26 09:47:30 2023 GMT\r\n            Not After : Jan 23 09:47:30 2033 GMT\r\n        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = docker-registry.orztip.internal\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                RSA Public-Key: (4096 bit)\r\n                Modulus:\r\n                                [\u7565]\r\n                Exponent: 65537 (0x10001)\r\n        X509v3 extensions:\r\n            X509v3 Subject Key Identifier: \r\n                [\u7565]\r\n            X509v3 Authority Key Identifier: \r\n                keyid:[\u7565]\r\n            X509v3 Basic Constraints: critical\r\n                CA:TRUE\r\n            X509v3 Subject Alternative Name: \r\n                DNS:docker-registry.orztip.internal\r\n    Signature Algorithm: sha256WithRSAEncryption\r\n         [\u7565]<\/code><\/pre>\n\n\n\n
\u7136\u540e\u91cd\u65b0\u4f7f\u7528domain.crt\u548cdomain.key\u90e8\u7f72A\u670d\u52a1\u5668\u4e0a\u7684docker registry\uff0c\u5e76\u4e14\u91cd\u542fdocker\u3002<\/p>\n\n\n\n
\u540c\u65f6\u4f7f\u7528domain.crt\u6587\u4ef6\u8986\u76d6\u6389B\u670d\u52a1\u5668\u4e0a\u90e8\u7f72\u7684ca\u6587\u4ef6\uff0c\u5373B\u670d\u52a1\u5668\u4e0a\u7684\u201c\u3010docker\u914d\u7f6e\u76ee\u5f55\u3011\/certs.d\/docker-registry.orztip.internal:9933\/ca.crt\u201d\u3002<\/p>\n\n\n\n
\u6700\u540e\u9a8c\u8bc1\u4e00\u4e0b\uff0c\u5e94\u8be5\u5c31\u53ef\u4ee5\u6b63\u5e38\u8fd0\u884c\u4e86\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u53c2\u8003\u6587\u7ae0\uff1a<\/strong><\/p>\n\n\n\n
\u30101\u3011https:\/\/go.dev\/doc\/go1.15#commonname<\/a><\/p>\n\n\n\n
\u30102\u3011https:\/\/github.com\/johanbrandhorst\/certify\/issues\/122<\/a><\/p>\n\n\n\n
\u30103\u3011https:\/\/docs.docker.com\/registry\/insecure\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u5047\u8bbe\u7684\u590d\u73b0\u73af\u5883\uff1a A\u670d\u52a1\u5668\uff1aip\u4e3a192.168.1.1\uff0cDocker Registry\u57df\u540d\u548c\u7aef\u53e3\u4e3adocke… \u7ee7\u7eed\u9605\u8bfbDocker Registry\u4f7f\u7528\u81ea\u7b7e\u540d\u8bc1\u4e66\u540e\u603b\u63d0\u793a\u201ctls: bad certificate\u201d\u7684\u6392\u9664\u624b\u6cd5\u548c\u89e3\u51b3\u65b9\u6848<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,116,6],"tags":[138],"_links":{"self":[{"href":"https:\/\/www.orztip.com\/index.php?rest_route=\/wp\/v2\/posts\/768"}],"collection":[{"href":"https:\/\/www.orztip.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.orztip.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.orztip.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.orztip.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=768"}],"version-history":[{"count":1,"href":"https:\/\/www.orztip.com\/index.php?rest_route=\/wp\/v2\/posts\/768\/revisions"}],"predecessor-version":[{"id":769,"href":"https:\/\/www.orztip.com\/index.php?rest_route=\/wp\/v2\/posts\/768\/revisions\/769"}],"wp:attachment":[{"href":"https:\/\/www.orztip.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.orztip.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.orztip.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}