Rancher v2.9.2 Ignore TLS when pull images from private registry

Herberson_Silva · October 3, 2024, 10:58pm

I have a Rancher v2.9.2 running from Docker , a command like this:

docker run -d --restart=unless-stopped \
  -p 80:80 -p 443:443 \
  --privileged \
  rancher/rancher:v2.9.2

When trying deploy a application I get this error:

Failed to pull image "registry.cicd-gitlab.lan/apps/tsapb1addonclient:main": failed to pull and unpack image "registry.cicd-gitlab.lan/apps/tsapb1addonclient:main": failed to resolve reference "registry.cicd-gitlab.lan/apps/tsapb1addonclient:main": failed to do request: Head "https://registry.cicd-gitlab.lan/v2/apps/tsapb1addonclient/manifests/main": tls: failed to verify certificate: x509: certificate signed by unknown authority

How can I configure the private registry to ignore TLS when pull the image?

Herberson_Silva · October 4, 2024, 1:21pm

After, more search, I’ve found ond official docs this chapter Advanced Options for Docker Installs and the first topic is “Custom CA Certificate”, where is described how to “… use a CA root certificate to be used when validating services”.

With that as reference, I mapped as volume the directory /etc/ssl/certs from my host machine to the docker container and this was what realy worked.

So the steps resolve my problem was:

Install the private registry certificates on host machine:

echo | openssl s_client -servername registry.cicd-gitlab.lan -connect registry.cicd-gitlab.lan:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/registry.cicd-gitlab.lan.crt

sudo cp /tmp/registry.cicd-gitlab.lan.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

systemctl restart docker.service

Start your Racher as the docs say. My command line was:

sudo docker run -d \
	--restart=unless-stopped \
	-v /etc/ssl/certs:/container/certs \
	-e SSL_CERT_DIR="/container/certs" \
	-p 80:80 \
	-p 443:443 \
	--privileged rancher/rancher:v2.9.2

I defined the version for Rancher (rancher/rancher:v2.9.2) because I’am using in a ARM architecture. Bellow is the SO I’am using:

Linux cicd-rancher 6.8.0-45-generic #45-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 30 12:26:41 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux

Distributor ID:	Ubuntu
Description:	Ubuntu 24.04.1 LTS
Release:	24.04
Codename:	noble

Hope this helps others with the same problem.

Topic		Replies	Views
Private docker registry - x509: certificate signed by unknown authority Rancher	1	4251	February 17, 2021
Rancher 2 Private Docker Registry? Rancher	2	5794	December 3, 2018
How to apply TLS certificate for Rancher web interface?	2	23	October 23, 2024
Can't pull Docker image rancher/rke-tools on vSphere cluster with Private CA Root Certificate Rancher	1	3718	August 31, 2018
X509 certificate signed by unknown authority RancherOS	7	8701	September 6, 2016

Rancher v2.9.2 Ignore TLS when pull images from private registry

Related Topics