[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Securing registry failed: error bad certificate



Thanks for the fast response.
Well, I performed this already manually and than the security was working. But now I wanted to script this.
So I used:

# get Cluster-IP
RESULT=$(oc get svc/docker-registry | awk '!/CLUSTER_IP/{print $2}')
--> echo $RESULT gave me the IP of the service


sudo oadm ca create-server-cert --signer-cert=ca.crt \
    --signer-key=ca.key --signer-serial=ca.serial.txt \
    --hostnames='docker-registry.default.svc.cluster.local,$RESULT' \
    --cert=registry.crt --key=registry.key

When I echo the command I really get the IP on the place of $RESULT.




Date: Tue, 9 Feb 2016 07:13:45 -0500
Subject: Re: Securing registry failed: error bad certificate
From: agoldste redhat com
To: dencowboy hotmail com
CC: users lists openshift redhat com

It's saying the cert doesn't have the IP address of the registry listed as a subjectAltName. What command did you run to generate your cert?

On Tuesday, February 9, 2016, Den Cowboy <dencowboy hotmail com> wrote:
I try to secure my registry but it fails:
This are the logs after a push:
I've checked the certificate: the ca.crt has the same content as the second part of my generated secret. So I don't know why this certificate is bad?

I0209 11:54:53.887517 1 sti.go:315] Successfully built 172.30.221.132:5000/test2/test2:latest
I0209 11:54:53.917560 1 cleanup.go:23] Removing temporary directory /tmp/s2i-build586685329
I0209 11:54:53.917581 1 fs.go:117] Removing directory '/tmp/s2i-build586685329'
I0209 11:54:53.919251 1 sti.go:214] Using provided push secret for pushing 172.30.221.132:5000/test2/test2:latest image
I0209 11:54:53.919274 1 sti.go:218] Pushing 172.30.221.132:5000/test2/test2:latest image ...
E0209 11:54:53.929640 1 dockerutil.go:78] push for image 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds ...
E0209 11:54:58.939648 1 dockerutil.go:78] push for image 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds ...
E0209 11:55:03.960704 1 dockerutil.go:78] push for image 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds ...
E0209 11:55:08.967635 1 dockerutil.go:78] push for image 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds ...
E0209 11:55:13.976535 1 dockerutil.go:78] push for image 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds ...
E0209 11:55:18.986800 1 dockerutil.go:78] push for image 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds ...
E0209 11:55:23.999629 1 dockerutil.go:78] push for image 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds ...
I0209 11:55:28.999901 1 sti.go:223] Registry server Address:
I0209 11:55:28.999950 1 sti.go:224] Registry server User Name: serviceaccount
I0209 11:55:28.999970 1 sti.go:225] Registry server Email: serviceaccount example org
I0209 11:55:28.999989 1 sti.go:230] Registry server Password: <<non-empty>>
F0209 11:55:29.000054 1 builder.go:185] Error: build error: Failed to push image. Response from registry is: unable to ping registry endpoint https://172.30.221.132:5000/v0/
v2 ping attempt failed with error: Get https://172.30.221.132:5000/v2/: x509: cannot validate certificate for 172.30.221.132 because it doesn't contain any IP SANs
v1 ping attempt failed with error: Get https://172.30.221.132:5000/v1/_ping: x509: cannot validate certificate for 172.30.221.132 because it doesn't contain any IP SANs

This are the logs of the registry itself:
time="2016-02-09T11:50:54.384124563Z" level=info msg="redis not configured" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
time="2016-02-09T11:50:54.38411731Z" level=info msg="Starting upload purge in 6m0s" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
time="2016-02-09T11:50:54.384179893Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
time="2016-02-09T11:50:54.384208064Z" level=info msg="Using Origin Auth handler"
time="2016-02-09T11:50:54.38423117Z" level=debug msg="configured \"openshift\" access controller" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
time="2016-02-09T11:50:54.384447261Z" level=info msg="listening on :5000, tls" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
10.1.0.1 - - [09/Feb/2016:11:51:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:51:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:51:22 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:51:32 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:51:42 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:51:52 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:52:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:52:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:52:22 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:52:32 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:52:42 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:52:52 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:53:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:53:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:53:22 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:53:32 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:53:42 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:53:52 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:54:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:54:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:54:22 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:54:32 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:54:42 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:54:52 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
2016-02-09 11:54:53.939908 I | http: TLS handshake error from 10.1.1.1:59082: remote error: bad certificate
2016-02-09 11:54:53.949806 I | http: TLS handshake error from 10.1.1.1:59083: remote error: bad certificate
2016-02-09 11:54:53.951173 I | http: TLS handshake error from 10.1.1.1:59081: remote error: bad certificate
2016-02-09 11:54:58.948438 I | http: TLS handshake error from 10.1.1.1:59086: remote error: bad certificate
2016-02-09 11:54:58.957545 I | http: TLS handshake error from 10.1.1.1:59088: remote error: bad certificate
2016-02-09 11:54:58.961057 I | http: TLS handshake error from 10.1.1.1:59087: remote error: bad certificate
10.1.0.1 - - [09/Feb/2016:11:55:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
2016-02-09 11:55:03.963091 I | http: TLS handshake error from 10.1.1.1:59090: remote error: bad certificate
2016-02-09 11:55:03.963511 I | http: TLS handshake error from 10.1.1.1:59089: remote error: bad certificate
2016-02-09 11:55:03.972225 I | http: TLS handshake error from 10.1.1.1:59091: remote error: bad certificate
2016-02-09 11:55:08.979689 I | http: TLS handshake error from 10.1.1.1:59094: remote error: bad certificate
2016-02-09 11:55:08.985091 I | http: TLS handshake error from 10.1.1.1:59096: remote error: bad certificate
2016-02-09 11:55:08.992347 I | http: TLS handshake error from 10.1.1.1:59095: remote error: bad certificate
10.1.0.1 - - [09/Feb/2016:11:55:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
2016-02-09 11:55:13.987433 I | http: TLS handshake error from 10.1.1.1:59097: remote error: bad certificate
2016-02-09 11:55:13.993870 I | http: TLS handshake error from 10.1.1.1:59099: remote error: bad certificate
2016-02-09 11:55:13.999576 I | http: TLS handshake error from 10.1.1.1:59098: remote error: bad certificate
2016-02-09 11:55:18.995454 I | http: TLS handshake error from 10.1.1.1:59102: remote error: bad certificate
2016-02-09 11:55:19.004155 I | http: TLS handshake error from 10.1.1.1:59104: remote error: bad certificate
2016-02-09 11:55:19.007233 I | http: TLS handshake error from 10.1.1.1:59103: remote error: bad certificate
10.1.0.1 - - [09/Feb/2016:11:55:22 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
2016-02-09 11:55:24.017056 I | http: TLS handshake error from 10.1.1.1:59107: remote error: bad certificate
2016-02-09 11:55:24.019580 I | http: TLS handshake error from 10.1.1.1:59106: remote error: bad certificate
2016-02-09 11:55:24.019902 I | http: TLS handshake error from 10.1.1.1:59105: remote error: bad certificate
10.1.0.1 - - [09/Feb/2016:11:55:32 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:55:42 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:55:52 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:56:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:56:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:56:22 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:56:32 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:56:42 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:56:52 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
time="2016-02-09T11:56:54.384405174Z" level=info msg="PurgeUploads starting: olderThan=2016-02-02 11:56:54.384326249 +0000 UTC, actuallyDelete=true"
time="2016-02-09T11:56:54.38543244Z" level=debug msg="filesystem.List(\"/docker/registry/v2/repositories\")" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa trace.duration=910.417┬Ás trace.file="/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/docker/distribution/registry/storage/driver/base/base.go" trace.func="github.com/docker/distribution/registry/storage/driver/base.(*Base).List" trace.id=e8a053f5-3935-4133-acd3-998e2fc004b8 trace.line=154
time="2016-02-09T11:56:54.385487781Z" level=info msg="Purge uploads finished. Num deleted=0, num errors=1"
time="2016-02-09T11:56:54.385509417Z" level=info msg="Starting upload purge in 24h0m0s" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
10.1.0.1 - - [09/Feb/2016:11:57:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:57:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:57:22 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:57:32 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:57:42 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
2016-02-09 11:57:43.067255 I | http: TLS handshake error from 10.1.1.1:59142: remote error: bad certificate
2016-02-09 11:57:43.068824 I | http: TLS handshake error from 10.1.1.1:59140: remote error: bad certificate
2016-02-09 11:57:43.076552 I | http: TLS handshake error from 10.1.1.1:59141: remote error: bad certificate
2016-02-09 11:57:48.073338 I | http: TLS handshake error from 10.1.1.1:59146: remote error: bad certificate
2016-02-09 11:57:48.081751 I | http: TLS handshake error from 10.1.1.1:59145: remote error: bad certificate
2016-02-09 11:57:48.082256 I | http: TLS handshake error from 10.1.1.1:59147: remote error: bad certificate
10.1.0.1 - - [09/Feb/2016:11:57:52 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
2016-02-09 11:57:53.080354 I | http: TLS handshake error from 10.1.1.1:59148: remote error: bad certificate
2016-02-09 11:57:53.096420 I | http: TLS handshake error from 10.1.1.1:59149: remote error: bad certificate
2016-02-09 11:57:53.096597 I | http: TLS handshake error from 10.1.1.1:59150: remote error: bad certificate
2016-02-09 11:57:58.102439 I | http: TLS handshake error from 10.1.1.1:59154: remote error: bad certificate
2016-02-09 11:57:58.105124 I | http: TLS handshake error from 10.1.1.1:59153: remote error: bad certificate
2016-02-09 11:57:58.106115 I | http: TLS handshake error from 10.1.1.1:59155: remote error: bad certificate
10.1.0.1 - - [09/Feb/2016:11:58:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
2016-02-09 11:58:03.109765 I | http: TLS handshake error from 10.1.1.1:59156: remote error: bad certificate
2016-02-09 11:58:03.116820 I | http: TLS handshake error from 10.1.1.1:59158: remote error: bad certificate
2016-02-09 11:58:03.124064 I | http: TLS handshake error from 10.1.1.1:59157: remote error: bad certificate
2016-02-09 11:58:08.120395 I | http: TLS handshake error from 10.1.1.1:59162: remote error: bad certificate
2016-02-09 11:58:08.127914 I | http: TLS handshake error from 10.1.1.1:59163: remote error: bad certificate
2016-02-09 11:58:08.131500 I | http: TLS handshake error from 10.1.1.1:59161: remote error: bad certificate
10.1.0.1 - - [09/Feb/2016:11:58:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
2016-02-09 11:58:13.134620 I | http: TLS handshake error from 10.1.1.1:59165: remote error: bad certificate
2016-02-09 11:58:13.138467 I | http: TLS handshake error from 10.1.1.1:59164: remote error: bad certificate
2016-02-09 11:58:13.138939 I | http: TLS handshake error from 10.1.1.1:59166: remote error: bad certificate
10.1.0.1 - - [09/Feb/2016:11:58:22 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:58:32 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:58:42 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:58:52 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:59:02 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"
10.1.0.1 - - [09/Feb/2016:11:59:12 +0000] "GET /healthz HTTP/1.1" 200 0 "" "Go 1.1 package http"

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]