docker login failed for gitlab container registry
Summary
We try to setup gitlab container registry by installing gitlab community edition via docker 2 weeks ago (pulling the latest gitlab/gitlab-ce from docker hub, which seems to be "GitLab Community Edition 8.11.5 f1ce997f"). We are configuring the container registry to use a different domain from gitlab (registry.centos.local & gitlab.centos.local), and we are using self signed certificate for both of them.
Once gitlab is running & the container registry has been configured, we can login, pull / push image from within the local host (i.e: host1, where we run gitlab) as shown by the following:
[root@host1 ]# docker login registry.centos.local
Username: test
Password:
Login Succeeded
However, when we try to login to the gitlab container registry from a different host (i.e: host2), we got the following error:
[root@host2 ]# docker login registry.centos.local
Username: test
Password:
Error response from daemon: Get https://registry.centos.local/v2/: Get https://gitlab.centos.local/jwt/auth?account=test&client_id=docker&offline_token=true&service=container_registry: x509: certificate signed by unknown authority
Both servers are using Centos 7 & "Docker version 1.12.1, build 23cf638"
I have placed the self-signed certs in /etc/docker/certs.d/ and include them in the Centos 7 ca-trust directory
Steps to reproduce
1. Create the self-signed certificate for both gitlab & registry
[root@host1 ]# openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout gitlab.centos.local.key -days 365 -out gitlab.centos.local.crt
[root@host1 ]# openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout registry.centos.local.key -days 365 -out registry.centos.local.crt
2. Adding the self signed certs to be trusted in the host OS
[root@host1 ]# cp gitlab.centos.local.crt /etc/pki/ca-trust/source/anchors/
[root@host1 ]# cp registry.centos.local.crt /etc/pki/ca-trust/source/anchors/
[root@host1 ]# cp gitlab.centos.local.crt /usr/share/pki/ca-trust-source/anchors/
[root@host1 ]# cp registry.centos.local.crt /usr/share/pki/ca-trust-source/anchors/
[root@host1 ]# update-ca-trust extract
3. Adding the registry.centos.local.crt to be tusted by docker
[root@host1 ]# cp registry.centos.local.crt /etc/docker/certs.d/registry.centos.local/ca.crt
[root@host1 ]# systemctl restart docker
4. Run the gitlab-ce container
[root@host1 ]# docker run -d \
--hostname gitlab.centos.local \
-p 80:80 \
-p 443:443 \
--name gitlab \
--volume /srv/gitlab/config:/etc/gitlab \
--volume /srv/gitlab/logs:/var/log/gitlab \
--volume /srv/gitlab/data:/var/opt/gitlab \
gitlab/gitlab-ce:latest
5. Move the self signed certs into
[root@host1 ]# cp gitlab.centos.local.* /srv/gitlab/config/ssl/
[root@host1 ]# cp registry.centos.local.* /srv/gitlab/config/ssl/
6. Modify gitlab.rb to have the following lines and restart gitlab docker
external_url "https://gitlab.centos.local"
registry_external_url "https://registry.centos.local"
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.centos.local.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.centos.local.key"
7. Restart gitlab container
[root@host1 ]# docker restart gitlab
https://gitlab.centos.local, adding user "test" and project "busybox"
8. Login to gitlab at9. Try docker login from the gitlab host itself, and everything looks fine
[root@host1 ]# docker login registry.centos.local
Username: test
Password:
Login Succeeded
10. Go to another VM (called "host2") with the same environment setting (Centos 7, Docker 1.12.1). Set the self-signed certs to be trusted there & do a docker login, got the following error
[root@host2 ]# docker login registry.centos.local
Username: test
Password:
Error response from daemon: Get https://registry.centos.local/v2/: Get https://gitlab.centos.local/jwt/auth?account=test&client_id=docker&offline_token=true&service=container_registry: x509: certificate signed by unknown authority
Relevant logs and/or screenshots
Error messages in /var/log/gitlab/registry/current
2016-09-12_06:44:43.19497 time="2016-09-12T06:44:43.194788182Z" level=warning msg="error authorizing context: authorization token required" environment=production go.version=go1.5.4 http.request.host=registry.centos.local http.request.id=b768683a-465d-47c0-895d-4880ba827d08 http.request.method=GET http.request.remoteaddr=192.168.xx.xx http.request.uri="/v2/" http.request.useragent="docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/3.10.0-327.28.3.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 (linux))" instance.id=d4678871-d4ab-4183-899c-bdcd7b6dbeb1 service=registry version=v2.4.1