Nexus a private docker registry https connector fails to pull the images on docker host
Mohan S
My Nexus Environment details as follows,
OS - CentOS Linux release 7.6.1810 (Core)
Server Type: Physical/Standalone Server.
Sonatype Nexus Repository Manager - OSS 3.15.2-01
Nginx Reserve Proxy Configured.
As per the following link created Self Signed Server TLS Certificates.
Command used from location -- /opt/nexus/etc/ssl/
1. 1. openssl genrsa -aes256 -out ca-key.pem 4096
2. 2. openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
3. 3. openssl genrsa -out server-key.pem 4096
4. 4 openssl req -subj "/CN=100.101.102.103" -sha256 -new -key server-key.pem -out server.csr
5. 5. echo subjectAltName = DNS: 100.101.102.103,IP: 100.101.102.103,IP:127.0.0.1 >> extfile.cnf
6. 6. echo extendedKeyUsage = serverAuth >> extfile.cnf
7. 7. openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
8. 8. Then updated nginx configuration file like below
ssl_certificate /opt/nexus/etc/ssl/server-cert.pem;
ssl_certificate_key /opt/nexus/etc/ssl/server-key.pem;
9. 9. Then created Generate a self-signed server certificate for Nexus using keytool command.
10. keytool -genkeypair -keystore keystore.jks -storepass changeit -keypass changeit -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=*.docker-client, OU=Example, O=Sonatype, L=Unspecified, ST=Unspecified, C=US" -ext "SAN=DNS:nexus-server,IP: 100.101.102.103" -ext "BC=ca:true"
10. 11. Updated keystore password in /opt/nexus/etc/jetty/jetty-https.xml file.
11. 12. keytool -printcert -sslserver ${NEXUS_DOMAIN}:${SSL_PORT} –rfc
12. Copied the above command output of printed certificate and pasted on my docker server /etc/pki/ca-trust/source/anchors/100.101.102.103.crt
13. 13. update-ca-trust
14. 14. systemctl restart docker.service
15. 15. Then from my docker host server when I tried to pull the image getting below error.
docker pull 100.101.102.103:8086/ubuntu-14
Error response from daemon: Get https://100.101.102.103:8086/v2/: x509: certificate signed by unknown authority
Note:
1. I am able to access my nexus through https protocol over browser. I have enabled https connector 8086 port.
2. If I enable the connector protocol http and
then if I add the following entry - "insecure-registries"
: [ "100.101.102.103:8086" ], in docker host /etc/docker/daemon.json
file. I am able to pull the images. But I would want to go with https.
Mohan S
Username: admin
Password:
Error response from daemon: Get https://100.101.102.103:8086/v2/: x509: certificate signed by unknown authority
On Wednesday, April 24, 2019 at 10:32:07 AM UTC+5:30, Mohan S wrote:
My Nexus Environment details as follows,
OS - CentOS Linux release 7.6.1810 (Core)
Server Type: Physical/Standalone Server.
Sonatype Nexus Repository Manager - OSS 3.15.2-01
Nginx Reserve Proxy Configured.
As per the following link created Self Signed Server TLS Certificates.
Command used from location -- /opt/nexus/etc/ssl/
1. openssl genrsa -aes256 -out ca-key.pem 4096
2. openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
3. openssl genrsa -out server-key.pem 4096
4 openssl req -subj "/CN=100.101.102.103" -sha256 -new -key server-key.pem -out server.csr
5. echo subjectAltName = DNS: 100.101.102.103,IP: 100.101.102.103,IP:127.0.0.1 >> extfile.cnf
6. echo extendedKeyUsage = serverAuth >> extfile.cnf
7. openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
8. Then updated nginx configuration file like below
ssl_certificate /opt/nexus/etc/ssl/server-cert.pem;
ssl_certificate_key /opt/nexus/etc/ssl/server-key.pem;
9. Then created Generate a self-signed server certificate for Nexus using keytool command.
10. keytool -genkeypair -keystore keystore.jks -storepass changeit -keypass changeit -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=*.docker-client, OU=Example, O=Sonatype, L=Unspecified, ST=Unspecified, C=US" -ext "SAN=DNS:nexus-server,IP: 100.101.102.103" -ext "BC=ca:true"
11. Updated keystore password in /opt/nexus/etc/jetty/jetty-https.xml file.
12. keytool -printcert -sslserver ${NEXUS_DOMAIN}:${SSL_PORT} –rfc
Copied the above command output of printed certificate and pasted on my docker server /etc/pki/ca-trust/source/anchors/100.101.102.103.crt
13. update-ca-trust
Rich Seddon
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/bdb668da-604e-4d65-b5fa-c7c83acc4dc2%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
 |
|
Richard Seddon Manager of Product Support |
Mohan S
Mohan S
Giorgos Argyriou
Peter Lynch
Hello Mohan,What exactly did you do with nginx?I know how to create secure registries from scratch using nginx having authentication/authorization and everything, but isn't Nexus supposed to automate this process?Right now I have a nexus running and https access configured (for the nexus service).BUT, I create a registry with https connector and I get the same response as you got from any docker client that tries to reach it.
Docker has general advice about how a unix based system can trust a certificate and we recommend to follow their advice.
A second option is to configure only Docker to trust the certificate on per host:port basis. Docker has specific advice on where certificates can be copied in order for them to be trusted automatically per host. The disadvantage is that for each Docker registry host:port accessed, a new certificate file must be added.
On Thursday, April 25, 2019 at 6:20:45 AM UTC+2, Mohan S wrote:I have configured reserve proxy through nginx. So per the shared link have generated (.pem &.key) files then updated nginx conf file. Now I am able to login to my docker private registry from my docker host. Thank you.
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/1151cc09-a13b-4b90-9854-3e96ebe9664e%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
|
|
Peter Lynch Senior Product Support Engineer |
Mohan S
Hi Giorgos, As instructed from the following link https://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon
1. On Nexus server need to generate [a self-signed server certificate for Nexus using keytool]. Inside the nexus application /etc/ssl directory.
2. DNS of your nexus server must be resolvable on your Docker Host.
3. Follow the remaining steps (1 and 2) as per the link.
4. For Nexus Server Nginx reverse proxy, need to update .conf file with below.
ssl on;
ssl_certificate /nexus-application-dir/etc/ssl/ssl_certificate example.pem;
ssl_certificate_key /nexus-application-dir/etc/ssl/ssl_certificate_key example.key;
5. Restart nginx .
6.
On Docker host check the docker login it should work.
On Tuesday, May 7, 2019 at 7:16:15 PM UTC+5:30, Peter Lynch wrote:
On Tue, May 7, 2019 at 6:42 AM Giorgos Argyriou <gioa...@gmail.com> wrote:Hello Mohan,What exactly did you do with nginx?I know how to create secure registries from scratch using nginx having authentication/authorization and everything, but isn't Nexus supposed to automate this process?Right now I have a nexus running and https access configured (for the nexus service).BUT, I create a registry with https connector and I get the same response as you got from any docker client that tries to reach it.If the message is identical, Docker client is telling you it doesn't trust the TLS certificate Nexus is using for its connector. Its the same scenario when you access a website using a self-signed private certificate in a web browser and the web browser tells you the site is untrusted.Either don't use a self-signed/private cert or follow the advice in our article:Docker has general advice about how a unix based system can trust a certificate and we recommend to follow their advice.
A second option is to configure only Docker to trust the certificate on per host:port basis. Docker has specific advice on where certificates can be copied in order for them to be trusted automatically per host. The disadvantage is that for each Docker registry host:port accessed, a new certificate file must be added.
--
On Thursday, April 25, 2019 at 6:20:45 AM UTC+2, Mohan S wrote:I have configured reserve proxy through nginx. So per the shared link have generated (.pem &.key) files then updated nginx conf file. Now I am able to login to my docker private registry from my docker host. Thank you.
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/1151cc09-a13b-4b90-9854-3e96ebe9664e%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
