Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

How can I update the self-signed SSL/TLS certificate of the Docker private registry without needing to remove the existing images?

byMR
January 1, 2024

I have a docker private registry deployed locally at 127.0.0.1:443, which is protected with a self-signed SSL/TLS certificate. This registry contains images that are used during container deployment.

However, I am currently facing an issue where the SSL/TLS certificate has expired, and I am no longer able to log in using the command:

docker login -u 'username:test' https://127.0.0.1:443

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

executing the above command results in the following error:

Error response from daemon: Get "https://127.0.0.1:443/v2/": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-01-01T14:04:11+04:30 is after 2023-11-12T05:19:15Z

What I did was to generate a new set of certificates and then restart/reinitialize the Docker container as follows:

docker run -d \                                                                                                         
--restart=always \
--name registry \
-v `pwd`/auth:/auth \
-v `pwd`/certs:/certs \
-v `pwd`/certs:/certs \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/certificate.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/private.key \
-p 443:443 registry:2

This approach was successful, but as you can observe, it represents a fresh deployment. Consequently, all the images have been removed from the registry.

2nd Guess: I also uploaded the new certificates to the docker container as follows:

docker cp certs <registry_container_id>:/certs

and restarted the container:

docker restart <registry_container_id>

The aforementioned action led to the private key not being parsed, consequently causing the container to fail during the restart.

On another note, is there a method to update the SSL/TLS certificate of the Docker registry without causing any disruptions?

>Solution :

The registry image stores uploaded images at /var/lib/registry, so to persist them from container instance to container instance, you need to map a volume or a host directory to that path.

For instance, if you want to store the images in a volume called my-images, you’d add

-v my-images:/var/lib/registry

to your docker run command.

byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading