≡ Menu

How to Setup Secure Docker Registry on Linux using TLS SSL Certificate

If you are creating custom docker images for your enterprise, you have two choices on where to host your docker images:

  1. Docker Hub – This hosted registry service is free and provided by Docker Inc. They also have several enterprise level features where you can create multiple accounts for your organizations, setup automatic builds, etc.
  2. Self Hosted Docker Registry – You can setup docker registry within your organization that will host your own docker images.

This tutorial explains how to setup a a secure self-hosted docker registry.

1. Setup TLS Certificate and Key

Copy your existing crt and key file to ~/docker-certs directory

# mkdir /root/docker-certs

# cd /root/docker-certs

# ls -1

In this example, I’m using thegeekstuff.crt certificate file, and thegeekstuff.key file that was generated for my Apache webserver.

For details on how to create your own certificate and key file, refer to this: How To Generate SSL Key, CSR and Self Signed Certificate

2. Manage Intermediate Certificate file

In this case, I also had an Intermediate Certificate from my certificate authority.

For docker registry, you should combine both the certificate and the intermediate certificate into the same certificate file.

i.e Append the content of your intermediate certificate bundle to your certificate file as shown below.

cd /root/docker-certs

cat intermediateCA.pem >> thegeekstuff.crt

3. Start Your Secure Docker Registry

Now, start your secure docker registry as shown below.

docker run -d -p 5000:5000 --restart=always --name registry \
  -v /root/docker-certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/root/docker-certs/thegeekstuff.crt \
  -e REGISTRY_HTTP_TLS_KEY=/root/docker-certs/thegeekstuff.key \

In the above command:

  • Docker registry is getting started on port 5000
  • The name of this docker container is “registry”
  • The local directory which contains the certificate /root/docker-certs is mapped as /certs inside the docker registry container
  • REGISTRY_HTTP_TLS_CERTIFICATE variable points to the certificate filename with full path
  • REGISTRY_HTTP_TLS_KEY variable points to the key filename with full path

Once you start the docker registry, you’ll now see the registry container running as shown below:

# docker ps
CONTAINER ID  IMAGE       COMMAND                  CREATED         STATUS         PORTS                    NAMES
fe9c78c51ec1  registry:2  "/entrypoint.sh /etc/"   30 seconds ago  Up 2 seconds>5000/tcp   registry

4. Access your Secure Docker Registry

Once the secure docker registry is setup, you can access it from other servers inside your network (or from outside your network), and use all the standard docker commands on it.

For example, you can push or pull an image to this secure docker registry as shown below.

docker pull thegeekstuff.com:5000/mongodb

docker push thegeekstuff.com:5000/mongodb

5. Setup InSecure Docker Registry

Note: If you are having any trouble with the Secure Docker Registry, for debugging purpose, start your registry without the certificate and see how it works as shown below:

docker run -d -p 5000:5000 --restart=always --name registry registry:2

When you try to pull an image (or perform any other operation) from your docker registry, you might get the following “oversized record received with length” error message.

For example, when I executed the following command on a remote server (not on the server where the docker registry is setup), I get the following error message:

# docker pull
Using default tag: latest
Error response from daemon: Get tls: oversized record received with length 20527

In this case, is the server where the in-secure docker registry is running (i.e without the security certificates).

In this case, on the remote server, you should allow insecure registry operations. For this, you have to pass “–insecure-registry” parameter to the DOCKER_OPTS environment variable.

On the remote server, modify this file and add the following line:

vi /etc/default/docker

Now, restart the docker on the remote server.

systemctl daemon-reload
systemctl stop docker
systemctl start docker

Now, the docker pull (or any other docker command) will work without any issues, as the insecure registry option is setup.

docker pull
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book