configuring a docker with Nexus3, SSL - self signed certificate, and Private Docker Registry access

[Rebecca Hulse]

Hi All,

I would like to setup a docker container that has Nexus3 with SSL (using a self-signed certificate), and would like to be able to access docker hub and push/pull images to my own Nexus3 Private Docker Registry.  I have tried going through the documentation and videos but I have not been able to successfully get this working.  

Attached is the dockerfile and it would be great to know if I am missing some steps.

Host machine is:

- Linux - ubuntu 14.04 lts

- docker version:  1.10.3, build 20f81dd

After building the container I start it with the following command: 

docker run  -p 8081:8081 -p 8443:8443 -p 18443:18443 -p 18444:18444 --name mynexus3 -v ~/nexusData:/nexus-data nexus3

After container is started on host machine:

 - on the host: I start chrome navigate to https://<machine name>:8443 (the https is crossed out as expected)

- Then in Nexus3 perform the following:

  - create the docker-hub proxy by following instructions here:  https://books.sonatype.com/nexus-book/3.0/reference/docker.html#docker-proxy  

  - create the docker-private hosted repo:  set the https connector to 18444

  - create the docker-group : set the https connector to 18443

Then from my host machine:

- start a terminal window

- then try and pull the ubuntu image from the docker-hub with the following command:

  - docker pull <machinename>:18443/ubuntu 

and I get the following error:

Using default tag: latest

Error response from daemon: unable to ping registry endpoint https://<machine name>:18443/v0/

v2 ping attempt failed with error: Get https://<machine name>:18443/v2/: x509: certificate signed by unknown authority

v1 ping attempt failed with error: Get https://<machine name>:18443/v1/_ping: x509: certificate signed by unknown authority

Is there some other configuration that needs to happen on the host machine for this to work?  I there something that needs to be added to the docker file?

I would like to follow the instructions here: https://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon 

but the problem is you don't know the ip address of the docker container until it is started.

[Gerd Aschemann]

Hi Rebecca,

general question out of curiosity: Why do you build the Nexus docker image completely from scratch? Why don't you use the "sonatype/nexus3" image? At least as a starting point? As far as I can see, you generate and add your certificates to the configuration in the Dockerfile. You could even do this with sonatype/nexus3 as base image? Or probably better: Create a Docker volume image which contains the certificate only and mount it as a volume container in the sonatype container?

To your question: I have a similar setup, except that I am not using TLS (and that I used the "official" image). I saw similar ping attempt failures also some times thought I cannot recollect what exactly was the problem. What helped to me was to add an "--insecure-registry <machine name>:18443" to my docker daemon start (/etc/default/docker in Debian/Ubuntu). 

However, adding the insecure-registry option might help you as well? Please give it a try. My first assumption was that it just tells Docker not to use TLS at all. But from a lot of Docker issues and articles in the web I think it might also advise Docker not to check the full certificate chain ...

HTH,

  Gerd

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/f1770adf-8373-4f55-b74d-1fd4f3ea7e2b%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
<Dockerfile>

--

Gerd Aschemann --- Veröffentlichen heißt Verändern (Carmen Thomas)
+49/173/3264070 -- ge...@aschemann.net -- http://www.aschemann.net

[Matthew Barker]

Rebecca,

I am pretty sure there are problems with Docker and --insecureregistry option, we do not recommend it.

Instead, you need to create a certificate and configure your Docker daemon to trust that cert - here is a good knowledge base article that covers this: 

https://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon

Let us know if you need more assistance.

Best,

Matthew

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/27E76C21-01C0-4915-9AB5-2514CAAB8334%40aschemann.net.

For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

--

Matthew Barker | West and Central Technical Director

Office: 301-684-8080 x706|  mba...@sonatype.com

Cell: 505-239-4008

www.sonatype.com
https://sonatype.webex.com/meet/mbarkersonatype.com  570 277 139

p.s., Is your Software Supply Chain Secure?
http://www.sonatype.com/nexus/product-overview/nexus-lifecycle

[Rich Seddon]

Agreed that "--insecure-registy" is not a good idea, it doesn't seem to be a well tested option in Docker.

> I would like to follow the instructions here: https://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon 

but the problem is you don't know the ip address of the docker container until it is started.

You could just generate and install the certificate at startup automatically using the keytool commands in the article above and a bit of scripting.  The IP address to use could be extracted from the output of "ifconfig -a".

Rich

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAJ3CKwhfF5_KvmWGUdE6hAXW3MacSP1H8KGP-h5-KKd75_F3%3Dw%40mail.gmail.com.

[Rebecca Hulse]

Hi,

Thanks for the reply the reason I did not use the base image was because we are trying to standardize on using ubuntu 14.04 as the o/s. 

[Manfred Moser]

Thank you for your input. That is a very valid use case.

manfred

> https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/15887b42-06d6-4cd5-b940-6d36852b3416%40glists.sonatype.com.

[Rebecca Hulse]

Thanks for all of the replies.

I have tried using the --insecure-registry option and that did not work.

I also tried the instructions instructions mentioned in the article about Self-Signed certificates, and that did not seem to work either. 

I have tried using a docker image and tried setting up just a regular VM and I still have not been able to successfully get the self-signed certificate stuff to work.  On the machine that has docker when ever I try and do a search I get the error "x509 certificate signed by unknown authority"

So either I am passing in the wrong CN name, which I think is just the machine name (but I have tried the machine name, just the domain name, and the fully qualified machine name).  For example, if my machine had the following qualified name testmachine.mydomain.foo.com for the CN name you would pass in "testmachine" correct and not "mydomain.foo.com"? 

[Peter Lynch]

On Mon, Apr 18, 2016 at 6:02 PM, Rebecca Hulse <rhul...@gmail.com> wrote:

Thanks for all of the replies.

I have tried using the --insecure-registry option and that did not work.

I also tried the instructions instructions mentioned in the article about Self-Signed certificates, and that did not seem to work either. 

I have tried using a docker image and tried setting up just a regular VM and I still have not been able to successfully get the self-signed certificate stuff to work.  On the machine that has docker when ever I try and do a search I get the error "x509 certificate signed by unknown authority"

So either I am passing in the wrong CN name, which I think is just the machine name (but I have tried the machine name, just the domain name, and the fully qualified machine name).  For example, if my machine had the following qualified name testmachine.mydomain.foo.com for the CN name you would pass in "testmachine" correct and not "mydomain.foo.com"? 

The CN name in the certificate must match the host name you are using to reach Nexus or be a wildcard like '*.mydomain.foo.com'. Also the certificate that Nexus is using must be marked as a certificate authority. This is what the -ext "BC=ca:true" option to keytool does.

What is the output of?

keytool -printcert -sslserver testmachine.mydomain.foo.com

[Dan Tran]

Hi

I am able to follow sonatype's instructions to create self-signed certificate for my local windows docker proxy.  then use openssl to extract the .pem format from my nexus docker url and place it under /var/lib/boot2docker/certs.pem ( i am using docker toolbox for window 1.10.x)

however when I try to do a pull, I got this much better error 

$ docker pull usentrand8l1c.mycomp.com:6443/jetty

Using default tag: latest

Error response from daemon: Get https://usentrand8l1c.mycomp.com:6443/v2/jetty/manifests/latest: no basic auth credentials

any clue? I am very close getting this working :)

Thanks and sorry for hijacking this thread

-Dan

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAC16qPhNDWw-j1%2B-Wd9-NL625S%3DXjz3OajjQWVfe8WjoiA_ZFw%40mail.gmail.com.

[Rich Seddon]

Have you run "docker login usentrand8l1c.mycomp.com:6443" yet?

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAPCjjnFgx9%3DvQniC6yvCY5vr5Aogjtu74SvUzJ5NGv9T_%2BqYig%40mail.gmail.com.

[Dan Tran]

Oh mine, it works issue the login.  Huge thanks.

How do I get nexus to bypass the login?

Thanks

-Dan

[Matthew Barker]

Dan, I believe you only need to run the login once, then your tokenized credentials are saved.

Best,

Matthew

[Dan Tran]

Hi Matthew,

that is much better. :-)  still much better if I don't have to log in. 

Thanks

-D

[Rebecca Hulse]

The output of keytool -printcert -sslserver <machineName>

 - is no certificate from ssl server

The output of :  keytool -printcert -sslserver <machineName>:18443

Certificate #0

====================================

Owner: CN=<machineName>, OU=products, O=datav, L=Bellevue, ST=WA, C=US

Issuer: CN=<machineName>, OU=products, O=datav, L=Bellevue, ST=WA, C=US

Serial number: 47687298

Valid from: Mon Apr 18 13:06:49 PDT 2016 until: Sun Apr 13 13:06:49 PDT 2036

Certificate fingerprints:

MD5:  71:83:F4:FC:FF:DD:11:94:8F:45:F4:9B:77:FF:47:1B

SHA1: C0:16:FF:6E:39:15:EA:20:F2:DA:F4:F4:86:1D:56:09:1A:4A:5C:C9

SHA256: 1E:DB:91:26:8F:E8:CF:62:43:F4:E6:05:0F:D1:31:C1:A0:9E:6F:FA:86:D6:E0:94:94:06:BA:09:D8:BB:44:5C

Signature algorithm name: SHA256withRSA

Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#2: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  DNSName: <machineName>

  IPAddress: <ip address>

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: A4 CA EA 58 94 A1 7E 25   AF F2 37 C9 92 6E D0 87  ...X...%..7..n..

0010: 13 14 CA 53                                        ...S

]

]

The output of keytool -printcert -sslserver <machineName>:18443 -rfc is the certificate key

On Tue, Apr 19, 2016 at 12:56 PM, Peter Lynch <ply...@sonatype.com> wrote:

[Peter Lynch]

On Wed, Apr 20, 2016 at 1:27 PM, Rebecca Hulse <rhul...@gmail.com> wrote:

The output of keytool -printcert -sslserver <machineName>

 - is no certificate from ssl server

The output of :  keytool -printcert -sslserver <machineName>:18443

The cert seems fine.

My experience is starting over with a new docker-machine helps. Then on the vm hosting the docker-daemon, trust the nexus certificate at the system level

https://docs.docker.com/registry/insecure/#docker-still-complains-about-the-certificate-when-using-authentication 

[Rebecca Hulse]

All,

We finally were able to get this working there are a couple important things to note:

- ${karaf.etc} - points to "/opt/nexus" so it is best to ensure nexus is installed in this location and create your certificates in /opt/nexus/etc/ssl.  That way when you update the org.sonatype.nexus.cfg to add ${karaf.etc}/jetty-https.xml it will point to the correct folder/file.

- For us we had to use a fully qualified machine name because using a certificate where "CN=*" did not work we needed to use "CN=*.<our domain name>"

- Before doing a docker pull command you first needed to perform a "docker login -u <username> -p <password> <fully qualified machine name>:<ssl port for the repository>"

- If using linux, you might want to ensure that the hostname where you are starting the docker container is a fully qualified host name or start the docker container using a fully qualified host name that can be resolved something like:

 - docker run -p 8081:8081 -p 8443:8443 -p 18443:18443 -p 18444:18444 -h <fully qualified hostname> --name nexus3 -v ~/nexusData:/nexus-data <name used to build image>

I have attached the updated docker file for reference and for anyone else trying to setup the self-signed certificate stuff on ubuntu.  Just make sure to update "<enter domain name>" in the docker file with your actual domain name.

Here is a summary of the steps to get things running on Linux Ubuntu:

1. if using the attached docker file search and replace "<enter domain name>" with your domain name 
2. build the docker image
3. Start the container for the image you just built (similar to the command above for docker run).  See the documentation on the official docker image for how to start the container https://hub.docker.com/r/sonatype/nexus3/ .  The only difference is there are a few more ports to map if using the attached dockerfile
4. From a Browser navigate to your nexus server: http://<machine name:8443>
5. Follow the Nexus documentation to setup the docker hub, hosted docker, and docker group https://books.sonatype.com/nexus-book/3.0/reference/docker.html#docker-proxy 
1. For my hosted docker repository I used https port 18444, for the docker group I used port 18443
6. The anonymous user did not work for me because I could not set a password for this and when performing a docker login I needed a password.  Therefore, I setup a new user in the Nexus Repository Manager.  See Nexus documentation for how to create users and roles: https://books.sonatype.com/nexus-book/3.0/reference/security.html#users 
7. Now to pull an image from the newly setup repository I needed to do the following:
1. on a machine where you are running docker, perform a docker login
1. docker login -u <user you created in step 6> -p <password> <fully qualified machine name>:<ssl port for repository, if you setup the docker group it would be 18443>
2. Now you should be able to do a docker pull
1. docker pull <fully qualified machine name>:<ssl port for repository, if you setup the docker group it would be 18443>/<tag>
2. for example, docker pull <fully qualified machine name>:18443/ubuntu

[psp]

Hi,
   I am using the updated dockerfile which you shared. I am running the docker on the machine 10.0.0.5. So, I changed the CN fiels as "CN=*.10.0.0.5". I build the image and run the image. I can access the nexus successfully. I created the docker private registry successfully. When I was trying to docker login with my admin credential i am getting the below error,

"Error response from daemon: Get https://10.0.0.5:18443/v1/users/: x509: cannot validate certificate for 10.0.0.5 because it doesn't contain any IP SANs"

the command I used is below
docker login  -u admin -p admin123 https://10.0.0.5:18443

I tried docker pull and push also . I am getting the same error. Please help me

[Rich Seddon]

Are you using a self signed certificate in Nexus?  Docker is really picky about certificates, a simple self signed certificate won't work. See here for details:

https://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon

--

You received this message because you are subscribed to the Google Groups "Nexus Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/65d52568-eb45-4af5-b55b-06de754b132d%40glists.sonatype.com.

[psp]

Hi,
    Thanks for your reply. I gone through the link which you shared. In my case, whats the values of ${NEXUS_DOMAIN}, ${NEXUS_IP_ADDRESS} & ${SSL_PORT}.  My docker host ip address is 10.0.0.5. Nexus doesn't have any domain name.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

[Peter Lynch]

On Wed, Dec 7, 2016 at 4:37 PM, psp <param...@gmail.com> wrote:

Hi,
    Thanks for your reply. I gone through the link which you shared. In my case, whats the values of ${NEXUS_DOMAIN}, ${NEXUS_IP_ADDRESS} & ${SSL_PORT}.  My docker host ip address is 10.0.0.5. Nexus doesn't have any domain name.

On Wednesday, 7 December 2016 12:18:59 UTC-6, Rich Seddon wrote:

Are you using a self signed certificate in Nexus?  Docker is really picky about certificates, a simple self signed certificate won't work. See here for details:

https://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon

NEXUS_IP_ADDRESS in your case is  the IP address that you expect the docker daemon to use access your nexus repository manager on - use 10.0.0.5

Every host has a host name - ${NEXUS_DOMAIN} is essentially this.  Worse case you can use localhost.

-ext "SAN=DNS:localhost,IP:10.0.0.5"

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/ed7620c4-f500-46b6-8529-9ed66aaca44b%40glists.sonatype.com.

[Rows Priego]

Thank you for the info, that works perfectly for me.

Very helpfull!!

THANKSSSSS