I think this is a really strange and interesting issue.
I have a client cert authenticated docker registry set up, width the help of apache. I have put the necessary certificate files to the appropriate folders according to this article.
Docker pull/push gives this error message:
Error response from daemon: Get https://***:9443/v2/: remote error: tls: alert(116)
I think my certificate files are correct and put to the appropriate places because docker pull and push working correctly on a linux machine, and I could only reproduce this issue on a WSL system.
This command works properly and gives the image names that I have pushed from the linux machine.
curl –cacert ca.crt –key client.key –cert client.cert ” https://***:9443/v2/_catalog”
I dubt that the problem is width my certificate files.
I have also tried running this command:
docker –debug –tlsverify –tlscacert /home/user/.docker/certs.d/***:9443/ca.crt –tlscert /home/user/.docker/certs.d/***:9443/client.cert –tlskey /home/user/.docker/certs.d/***:9443/client.key pull ***:9443/hello-world-test
The output was this, that I cannot understand. Of course docker daemon is running:
Using default tag: latest DEBU[0000] FIXME: Got an status-code for which error does not match any expected type!!!: -1 module=api status_code=-1 Cannot connect to the Docker daemon at tcp://localhost:2376. Is the docker daemon running?
Docker version:
- Docker version 20.10.5, build 55c4c88
Installed linux:
docker-compose.yml
services:
apache:
image: "httpd:2.4"
ports:
- 9443:9443
links:
- registry:registry
volumes:
- /opt/docker-registry-certauth/auth:/usr/local/apache2/conf:z
- /opt/docker-registry-certauth/log:/var/log/apache:z
registry:
image: registry:2
ports:
- 127.0.0.1:5000:5000
volumes:
- /opt/docker-registry-certauth/data:/var/lib/registry:z
I would appreciate if someone could give me some advice how to overcome this issue, or does somebody have any idea what can be the problem.
Advertisement
Answer
After lots of research I could not solve this problem on WSL2 systems. But I figured out a workaround, not the nicest solution but it works. I wrote a bash script where temporarily I use a docker dind image to pull the images from the privatey client authenticated registry.
docker run --rm --privileged --name=win-dind -v $(pwd):/var/tmp -d docker:20.10-dind
After dind images runs we copy the certificate files to the appropriate places.
dindImgId=$(docker ps -qf "name=win-dind") docker exec -it $dindImgId mkdir -p /etc/docker/certs.d/$registryName/ docker cp ./cert/setup/ca.crt $dindImgId:/etc/docker/certs.d/$registryName/ca.crt docker cp ./cert/setup/client.key $dindImgId:/etc/docker/certs.d/$registryName/client.key docker cp ./cert/setup/client.cert $dindImgId:/etc/docker/certs.d/$registryName/client.cert // Download the necessary images...
And to make sure not to download every image all the time we start our bash script, we can solve it width trying to find our local image id in the registry.
download() {
currImageId=$(docker images --no-trunc --quiet $registryName/$modulName:$imageTag)
if [[ $currImageId != "" ]]
then
tmp=$(curl -s --cacert ./cert/setup/ca.crt --key ./cert/setup/client.key --cert ./cert/setup/client.cert -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -k -X GET https://$registryName/v2/$modulName/manifests/$imageTag | grep -c $currImageId)
if [[ $tmp = 0 ]]
then
docker exec -it $dindImgId docker pull $registryName/$modulName:$imageTag
updatedImages+="$registryName/$modulName:$imageTag "
else
echo "Not available newer version from $modulName modul."
fi
else
docker exec -it $dindImgId docker pull $registryName/$modulName:$imageTag
updatedImages+="$registryName/$modulName:$imageTag "
fi
}
Finally I save the images into a tar file and store it at /var/tmp . Because of the volume it will immediately appear on the host machine, and after we just need to load it.
docker exec -it $dindImgId docker save --output /var/tmp/pmsthf-images.tar $updatedImage docker load < images.tar