目录

下载 证书


mkdir cert

cd cert

curl -u admin:brysjhhrhL356126155165352237656123165615 -o test_zk_cert.zip  http://192.168.63.100:50000/remote.php/webdav/Documents/cert/5900588_test.zk.limengkai.work_other.zip

apt  install  unzip  -y

unzip test_zk_cert.zip 

ls
# 5900588_test.zk.limengkai.work.key  5900588_test.zk.limengkai.work.pem

mkdir -p certs
cat 5900588_test.zk.limengkai.work.pem > certs/domain.crt
cat 5900588_test.zk.limengkai.work.key > certs/domain.key


#   -v "$(pwd)"/certs:/certs \

# /mnt/registry_certs:/certs

cp -a ./certs/ /work_continer_data/mnt/register_certs


# 在 compose 文件中添加 映射
# docker -v /work_continer_data/mnt/register_certs:/certs

docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 443:443 \
  registry.cn-hangzhou.aliyuncs.com/mkmk/all:registry-latest


# docker compose
environment:
  - RACK_ENV=development
  - SHOW=true
  - SESSION_SECRET


openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

生成 自己的 证书


/etc/ssl
编辑openssl.cnf,在[v3_ca]下面添加:subjectAltName = IP:域名|IP地址

[ v3_ca ]
subjectAltName = IP:192.168.164.180


openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout my.key -out my.pem


openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout domain.key -out domain.crt


docker rm -f registry

docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 443:443 \
  registry.cn-hangzhou.aliyuncs.com/mkmk/all:registry-latest

docker logs registry

生成 ca 证书

CA根证书的生成步骤
生成CA私钥(.key)-->生成CA证书请求(.csr)-->自签名得到根证书(.crt)(CA给自已颁发的证书)。

 

# Generate CA private key 
openssl genrsa -out ca.key 2048 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed certificate(CA 根证书)

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

mkdir certs
cat ca.key > certs/domain.key
cat ca.crt > certs/domain.crt

Use self-signed certificates

Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)

This is more secure than the insecure registry solution.

Generate your own certificate:


$ mkdir -p certs

$ openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -addext "subjectAltName = DNS:myregistry.domain.com" \
  -x509 -days 365 -out certs/domain.crt


  # -addext "subjectAltName = IP:192.168.164.180" \

Be sure to use the name myregistrydomain.com as a CN.

Use the result to start your registry with TLS enabled.

Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.


# Linux: Copy the domain.crt file to

/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt 
 
#  on every Docker host. You do not need to restart Docker.

Windows Server:

Open Windows Explorer, right-click the domain.crt file, and choose Install certificate. When prompted, select the following options:

Store location local machine
Place all certificates in the following store selected
Click Browser and select Trusted Root Certificate Authorities.

Click Finish. Restart Docker.

Docker Desktop for Mac: Follow the instructions in Adding custom CA certificates. Restart Docker.

Docker Desktop for Windows: Follow the instructions in Adding custom CA certificates. Restart Docker.
欢迎大家一起交流呀
qq群:3638803451
vx:wxid_sgdelhiwombj12

原文地址:http://www.cnblogs.com/ltgybyb/p/16905328.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性