Docker and Self-Signed Certificates: Difference between revisions

While it is possible to tell docker to ignore the fact that a registry is using self-signed certificates, it is just as easy to put the certificates in a place on the client system where docker can use them to authenticate the server as it likes to do. Assuming that the registry's self-signed certificates were created as described here, you have the certificate in a files called cert.pem and the key in a file called key.pem. The <hostname> used in the commands below must match EXACTLY the hostname provided when creating the keys.

Docker allows local certificates to be placed in a directory on the client called /etc/docker/certs.d. The contents of this directory are a set of subdirectories -- one for each system to be authenticated -- that contain the cert/key files for that system. Using the certificate created above, issue these commands:

sudo mkdir -p /etc/docker/certs.d/<hostname>
sudo cp cert.pem /etc/docker/certs.d/<hostname>/domain.crt
sudo cp cert.pem /etc/docker/certs.d/<hostname>/ca.crt
sudo cp key.pem /etc/docker/certs.d/<hostname>/domain.key

This must be done on any system that will be accessing the registry. Alternatively, the entire <hostname> subdirectly can be copied to the other systems using scp:

sudo scp -r /etc/docker/certs.d/<hostname> <client-hostname>:/etc/docker/certs.d