[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Docker registry certificate issue

I think we broke this recently, can you try this PR? https://github.com/openshift/openshift-ansible/pull/5178

On Fri, Aug 25, 2017 at 9:20 AM, Tim Dudgeon <tdudgeon ml gmail com> wrote:

I'm creating this as a new topic, although it has partly been discussed earlier.
Now I have a better understanding of the problem so its best discussed as a new topic.

The issue is that the certificate that is generated by the ansible installer for the docker repository is not correct, so any builder process that tries to push to the repo fails with an error like this:

error: build error: Failed to push image: Get https://docker-registry.default.svc:5000/v1/_ping: x509: certificate is valid for docker-registry-default.os.informaticsmatters.com,, not docker-registry.default.svc
Looking at the /etc/origin/master/registry.crt certificate that is generated on the master node its contents confirm this. The key part is this:

X509v3 Subject Alternative Name: 
               DNS:docker-registry-default.os.informaticsmatters.com, DNS:, IP Address:
Indeed, docker-registry.default.svc is not included in the names.
The os.informaticsmatters.com related hostname comes from the value of the openshift_master_cluster_public_hostname and/or the
openshift_master_default_subdomain variables in the inventory file. Is this present to allow the registry to be exposed externally?

But I'm baffled as to why this is happening. Looking at the code it looks like this is the key player:

And if that is the case then it looks like docker-registry.default.svc should be added.

Is this a bug? If so presumably it should be affecting everyone?

This is using OpenShift Origin 3.6, installing using the ansible installer from the master branch.


users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]