Secured (TLS + Auth) private docker registry access (invalid registry endpoint)

[jeusdi]

Issue Report

I've created a private docker registry with TLS and authorization: I perform this container in order to start it:

 $ docker run -d -p 5000:5000 --restart=always --name registry \
       -v /root/docker-registry/auth:/auth \
       -e "REGISTRY_AUTH=htpasswd" \
       -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
       -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
       -v /root/docker-registry/certs:/certs \
       -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
       -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
       -v /root/docker-registry/data:/var/lib/registry \
       registry:2

Everything seems to be right:

 $ netstat -tupln | grep 5000
     tcp6       0      0 :::5000       :::*      LISTEN      3160/docker-proxy

  $ docker ps
     CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                          PORTS                    NAMES
     27e79f6a504c        registry:2          "/bin/registry serve "   About an hour ago   Restarting (2) 36 minutes ago   0.0.0.0:5000->5000/tcp   registry

So registry is running and listening on port 5000.

By other hand, I set up a coreOS instance and according to this documentation I've added a .docker/config.json with authentication on docker user home with this content:

{
    "https://x.x.x.x:5000/": {
            "auth": "xxxxxxxxxxxxxxx=",
            "email": "[email protected]"
    }
}

I've already added the certificate (ca.crt) in /etc/ssl/certs and in /etc/docker/certs.d/x.x.x.x:5000/.

From this CoreOS instance, I'm trying to perform that:

$ docker login https://x.x.x.x:5000
Username: xxx
Password:
Email: [email protected]

And it tells me:

Error response from daemon: invalid registry endpoint https://x.x.x.x:5000/v0/: unable to ping registry endpoint https://x.x.x.x:5000/v0/
v2 ping attempt failed with error: Get https://x.x.x.x:5000/v2/: EOF
v1 ping attempt failed with error: Get https://x.x.x.x:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry x.x.x.x:5000 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/x.x.x.x:5000/ca.crt

I've also tried to get the connection directly with openssl:

openssl s_client -connect x.x.x.x:5000

The output is:

```
CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

---
no peer certificate available

---
No client certificate CA names sent

---
SSL handshake has read 0 bytes and written 308 bytes

---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1467812448
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

---
```

CoreOS Version

NAME=CoreOS
ID=coreos
VERSION=1010.6.0
VERSION_ID=1010.6.0
BUILD_ID=2016-06-28-0910
PRETTY_NAME="CoreOS 1010.6.0 (MoreOS)"
ANSI_COLOR="1;32"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"

Environment

VM machine provided on VirtualBox by Vagrant.