Docker Private Registry - push to 'insecure-registry‘仍然抱怨’未知的权限‘

Question

我有一个远程Docker注册表设置。它安装了一个通用的SSL证书。

如果我卷曲它，我得到一个‘未知的权威’错误：

curl https://example.com:5000/v2/

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none 
More details here: http://curl.haxx.se/docs/sslcerts.html

...

If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

因此，我使用“不安全”卷曲：

curl -k https://example.com:5000/v2

我得到了

{} //which I guess is because there is nothing in the registry?

为了进行检查，我卷曲了一个不存在的端点：

curl -k https://example.com:5000/moo

404 page not found //which is positive, as it means the -k flag is suppressing the 'unknown authority' correctly

所以，现在我知道可以通过curl连接到注册表，我尝试使用Docker客户端来推送镜像：

docker push example.com:5000/my-image

The push refers to a repository [example.com:5000/my-image] 
unable to ping registry endpoint https://example.com:5000/v0/
v2 ping attempt failed with error: Get https://example.com:5000/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://example.com:5000/v1/_ping: x509: certificate signed by unknown authority

因此，我尝试通过添加‘DOCKER_OPTS -registry’来抑制该错误(如here所解释的)：

DOCKER_OPTS=“--不安全注册表example.com:5000”

重新启动docker后台进程

但它并不起作用。我得到了同样的“未知机构”警告。

首先，为什么Go爸爸的证书是不可信的？我在nginx服务器上设置了它，它与浏览器上的“绿色栏”一起工作得很好。

其次，如何让“不安全注册表”与Docker一起工作？谢谢

Answer 1

好了，我搞清楚了这件事。

原来我不需要用下面的代码修改/etc/default/docker：

DOCKER_OPTS="--insecure-registry example.com:5000"

问题是我安装在注册表中的Go-Daddy证书也需要有中间证书。我从Go-Daddy那里收到了以下信息：

domain.crt
some-bundle.crt

你需要

cat bundle.crt >> domain.crt

这样证书链就完整了。那么一切都很好。