Looping the list back into the conversation From: Lorenz Vanthillo <lorenz.vanthi...@outlook.com<mailto:lorenz.vanthi...@outlook.com>> Date: Wednesday, 16 March 2016 at 10:18 PM To: Tim Moor <tim.m...@spring.co.nz<mailto:tim.m...@spring.co.nz>> Subject: RE: Use --insecure-registry tag on Secure OpenShift registry?
Oc login Docker login on registry.dev.com:443 docker push registry.dev.com:443/test/test (Tagged the image before) In my OpenShift I see an image-stream: service-ip:5000/test/test So that seems to work fine. But now it doesn't seems to be an issue related to the push. Because when I create a s2i-app. There is also a new image-stream created in the project. When I try to use that image-stream inside the same project I got the same error: oc new-app 172.30.xx.xx:5000/test-connection/test (this isn't a pushed image or something, just a new image-stream created by s2i-approach) error: can't look up Docker image.. x509: certificate signed... loglevel 5 I0316 09:11:03.089013 83697 dockerimagelookup.go:343] exact match on "172.30.xx.xx:5000/test-connection/test:latest" I0316 09:11:03.089024 83697 dockerimagelookup.go:104] Found local docker image match "172.30.xx.xx:5000/test-connection/test:latest" with score 0.000000 I0316 09:11:03.093669 83697 componentresolvers.go:59] Error from resolver: [can't look up Docker image "172.30.xx.xx:5000/test-connection/test": Internal error occurred: Get https://172.30.xx.xx:5000/v2/: x509: certificate signed by unknown authority] F0316 09:11:03.093758 83697 helpers.go:104] error: can't look up Docker image "172.30.xx.xx:5000/test-connection/test": Internal error occurred: Get https://172.30.xx.xx:5000/v2/: x509: certificate signed by unknown authority. My ca.crt contains the content of ca.crt /etc/origin/master/ (and is in 172...:5000 and registry.dev...:443 ________________________________ From: tim.m...@spring.co.nz<mailto:tim.m...@spring.co.nz> To: lorenz.vanthi...@outlook.com<mailto:lorenz.vanthi...@outlook.com> Subject: Re: Use --insecure-registry tag on Secure OpenShift registry? Date: Tue, 15 Mar 2016 19:23:59 +0000 Can you show me the exact command you’re running for your push to the registry using the hostname? From: Lorenz Vanthillo <lorenz.vanthi...@outlook.com<mailto:lorenz.vanthi...@outlook.com>> Date: Wednesday, 16 March 2016 at 8:11 AM To: Tim Moor <tim.m...@spring.co.nz<mailto:tim.m...@spring.co.nz>> Subject: RE: Use --insecure-registry tag on Secure OpenShift registry? I performed the same command with my service IP and my hostname: registry.dev.xxx.com. docker-registry registry.dev.xxx.com docker-registry:5000-tcp passthrough docker-registry=default It seems to work: in my websconsole I see: Using provided push secret for pushing 172.30.xx.xx:5000/test2/test2:latest image and the push was successful ________________________________ From: tim.m...@spring.co.nz<mailto:tim.m...@spring.co.nz> To: lorenz.vanthi...@outlook.com<mailto:lorenz.vanthi...@outlook.com> Subject: Re: Use --insecure-registry tag on Secure OpenShift registry? Date: Tue, 15 Mar 2016 19:09:19 +0000 If that shows that tls is enabled then the problem defiantly exists with the certificates. Have you externalised your registry yet, if so what’s the route name? Provide the output of # oc get routes Make sure that what every name you’ve chosen for your external hostname was also included in your certificate creation command I.e. oadm ca create-server-cert --signer-cert=ca.crt \ --signer-key=ca.key --signer-serial=ca.serial.txt \ --hostnames='docker-registry.default.svc.cluster.local,172.30.124.220' \ --cert=registry.crt --key=registry.key And is located in /etc/docker/certs.d/<hostname> Note: there is no port reference here. From: Lorenz Vanthillo <lorenz.vanthi...@outlook.com<mailto:lorenz.vanthi...@outlook.com>> Date: Wednesday, 16 March 2016 at 8:03 AM To: Tim Moor <tim.m...@spring.co.nz<mailto:tim.m...@spring.co.nz>> Subject: RE: Use --insecure-registry tag on Secure OpenShift registry? I'm sure I performed all the steps. I did it more than once. It's all working without --insecure-registry except the oc new-app 172.30.xxx:5000/.. ________________________________ From: tim.m...@spring.co.nz<mailto:tim.m...@spring.co.nz> To: lorenz.vanthi...@outlook.com<mailto:lorenz.vanthi...@outlook.com> CC: users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com> Subject: Re: Use --insecure-registry tag on Secure OpenShift registry? Date: Tue, 15 Mar 2016 18:55:32 +0000 Take a look at this section, this describes how to create your certificates, share them as secrets to your registry and place them in the correct folders so that docker and the oc command have access to them. By the looks of it, you may have missed one of two of these steps. * https://docs.openshift.org/latest/install_config/install/docker_registry.html#securing-the-registry From: <users-boun...@lists.openshift.redhat.com<mailto:users-boun...@lists.openshift.redhat.com>> on behalf of Lorenz Vanthillo <lorenz.vanthi...@outlook.com<mailto:lorenz.vanthi...@outlook.com>> Date: Tuesday, 15 March 2016 at 11:13 PM To: "users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>" <users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>> Subject: RE: Use --insecure-registry tag on Secure OpenShift registry? s the ca.crt in the /etc/origin/master/.. seen as a selfsigned certificate? (I don't know much about certs but I think real SSL-certs aren't free so it's probably seen as self-signed?)
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
