Skip to content

Instantly share code, notes, and snippets.

  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save greg-k-taylor/df5cbf3b2f2307667e05bc2a9169209e to your computer and use it in GitHub Desktop.

Setting up the Docker.BioDock.io Docker Registry with Let's Encrypt TLS support

This gist describes how to set up a private Docker Registry on an AWS EC2 instance and how to secure it with TLS using a certificate by Let's Encrypt.

A Docker registry is a server side application that stores and lets you distribute Docker images. It runs in an own Docker container and the image is freely available. Let's Encrypt is a Certificate Authority that gives away TLS certificates for free.

0. Prerequisites

We require the following three items to be set up correctly before we start.

  1. An EC2 instance with Docker installed (sudo apt-get install docker.io)
  2. A domain name associated with the EC2 instance (docker.biodock.io)
  3. The EC2 instance's VPC and Security Group have been setup to expose the ssh, http, https, and the Docker Registry ports (22/TCP, 80/TCP, 443/TCP, 5000/TCP) publicly.

1. Configure Nginx to serve SSL connections.

  1. Edit the /etc/nginx/sites-available/default configuration file changing the server name from _ to the docker.biodock.io domain name.
  2. Edit the /etc/nginx/sites-available/default configuration file adding another server entry to listen on the 443/TCP port.
server {
        listen 443;
        listen [::]:443;

        server_name docker.biodock.io;

        root /var/www/html;
        index index.html;

        location / {
                try_files $uri $uri/ =404;
        }
}
  1. Restart nginx

2. Get a certificate from Let's Encrypt

  1. On the EC2 instance, install the certificate bot for obtaining the certificate from Let's Encrypt:
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 
  1. Run certbot for nginx. You must enter an administrative email address and your domain.
sudo certbot --nginx

This generates the following four files in /etc/letsencrypt/live/YOUR_DOMAIN

cert.pem  chain.pem  fullchain.pem  privkey.pem

Copy the files into into a local certs directory. Change their ownership to your local user and change permissions as appropriate.

3. Start the Docker Registry

  1. Still on the EC2 instance, we will need the fullchain.pem and privkey.pem in our registry. Therefore, we create a directory /certs/ to be mounted as volume in the next step. For consistency with the Docker Registry documentation we rename the files to domain.crt and domain.key, respectively.
  2. Run the registry as follows.
docker run -d -p 5000:5000 -p 443:443 \
  --restart=always \
  --name registry \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem \
  -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem \
  registry:2

4. Verify the registry and TLS are working

  1. Download and tag an image so that it points to the new registry: docker pull hello-world && docker tag hello-world docker.biodock.io/hello-world
  2. Push the image to the new registry. docker push docker.biodock.io/hello-world. If the upload succeeds all is fine.
  3. Verify by viewing your registry's catalog in a web browser or POST-MAN https://docker.biodock.io/v2/_catalog.

Troubleshooting

  1. Stop the registry container with docker stop registry
  2. Remove the registry container with docker rm -v registry
  3. Re-run the start command without the -d flag and review output while testing.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment