Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

registry incompatible with Let's Encrypt #96

Open
x3nb63 opened this issue Nov 29, 2019 · 8 comments
Open

registry incompatible with Let's Encrypt #96

x3nb63 opened this issue Nov 29, 2019 · 8 comments

Comments

@x3nb63
Copy link

x3nb63 commented Nov 29, 2019

because they turn off their ACMEv1 API .

I use

docker run -d -p 443:5000 --name registry \
  -v `pwd`:/etc/docker/registry/ \
  -v registry:/var/lib/registry \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
  -e REGISTRY_HTTP_HOST=https://docker.example.com \
  -e REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE=/etc/docker/registry/letsencrypt.json \
  -e REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL=admin@example.com \
  registry:2

and get this error:

FATA[0001] register: acme: Error 403 - urn:acme:error:unauthorized - Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

so I guess the registry:2 images needs to support ACMEv2
@RehakOndrej
Copy link

any updates please? I do have same issue

@xx0r
Copy link

xx0r commented Jan 10, 2020

Please vote here too if you haven't already
distribution/distribution#3041

@robogeek
Copy link

ditto

@containerman17
Copy link

+1

@wilminator wilminator mentioned this issue May 21, 2021
Closed
@wilminator
Copy link

This is ridiculous. I posted a workaround in another repo, but customers should not have to hack the base Docker registry image to get a binary that is compliant with current standards. Let's Encrypt stopped supporting ACME v1 almost 18 months ago, and the binary in the image is over 2 years old per the history on this repo. Please take the time to fix the binary and do right by your userbase, or it won't be a surprise when they dump Docker for podman.

@x3nb63
Copy link
Author

x3nb63 commented May 21, 2021

well, I am about doing just that.

Worked around this ticket long ago by placing Traefik in front of the registry (be aware of its automatic reporting enabled by default!)

For the registry looking into running Project Quay meawhile. Access Controls is also a thing...

@milosgajdos
Copy link
Member

@wilminator there is no such thing as "customers" of distribution. distribution has never been a product, but rather an OSS project. Besides, distribution has been recently donated to CNCF and is currently in the process of sorting out some things so that the project can get back to better shape than it is now.

@wifidabba
Copy link

Its compatible with Letsencrypt you have to map

environment:
    REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: "/certs/live/registry.you-domain.com/fullchain.pem"
    REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/live/registry.you-domain.com/fullchain.pem"
    REGISTRY_HTTP_TLS_KEY: "/certs/live/registry.you-domain.com/privkey.pem"
volumes:
      - "/etc/letsencrypt:/certs"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@robogeek @wilminator @milosgajdos @xx0r @RehakOndrej @containerman17 @x3nb63 @wifidabba