Skip to content

Instantly share code, notes, and snippets.

@u1i
Forked from PieterScheffers/start_docker_registry.bash
Last active March 23, 2024 05:54
Show Gist options
  • Save u1i/1ec704b5c099b407875128fe0b864735 to your computer and use it in GitHub Desktop.
Save u1i/1ec704b5c099b407875128fe0b864735 to your computer and use it in GitHub Desktop.
Start docker registry with letsencrypt certificates and Basic Auth
#!/usr/bin/env bash
# install docker
# https://docs.docker.com/engine/installation/linux/ubuntulinux/
# install docker-compose
# https://docs.docker.com/compose/install/
# install letsencrypt
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
# Generate SSL certificate for domain
/opt/letsencrypt/letsencrypt-auto certonly --keep-until-expiring --standalone -d domain.example.com --email info@example.com
# Setup letsencrypt certificates renewing
line="30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renew.log"
(crontab -u root -l; echo "$line" ) | crontab -u root -
# Rename SSL certificates
# https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348
cd /etc/letsencrypt/live/domain.example.com/
cp privkey.pem domain.key
cat cert.pem chain.pem > domain.crt
chmod 777 domain.crt
chmod 777 domain.key
# Generate Password for Basic Auth
mkdir auth
docker run \
--entrypoint htpasswd \
registry:2 -Bbn testuser testpassword > auth/htpasswd
# https://docs.docker.com/registry/deploying/
docker run -d -p 443:5000 --restart=always --name registry \
-v /etc/letsencrypt/live/domain.example.com:/certs \
-v /opt/docker-registry:/var/lib/registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Axway Docker Registry" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
# List images
# https://domain.example.com/v2/_catalog
@OsoianMarcel
Copy link

I'm not sure, but I feel that this solution will work for only 3 months until Letsencrypt certificate is valid.
Because after certification renovation the registry web server will continue to use old certificate.

@flickerfly
Copy link

I'm not sure, but I feel that this solution will work for only 3 months until Letsencrypt certificate is valid. Because after certification renovation the registry web server will continue to use old certificate.

Line 16 adds a cron job to auto renew. Is that not working?

@OsoianMarcel
Copy link

I'm not sure, but I feel that this solution will work for only 3 months until Letsencrypt certificate is valid. Because after certification renovation the registry web server will continue to use old certificate.

Line 16 adds a cron job to auto renew. Is that not working?

  1. Look at the script on the lines between 21 and 25. This code is executed only once. It must be executed automatically each time the Letsencrypt runs the renewal of certificate (in cronjob, or by using Letsencrypt hooks). Otherwise these generated files will remain unchanged.

  2. Even if the certificate file will be renewed (and the problem above will be fixed), I doubt that the https server (registry:2) knows that the certificate is has been changed. So probably, the https server will continue to use the old certificate until restart.

Sorry for my bad English.

@flickerfly
Copy link

Oh, good point.

As there is a volume in use, destroy and rebuild is probably the simple fix, but yeah doing the cert name shuffle in cron would be better.

@mahmudulrm
Copy link

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment