Forked from PieterScheffers/start_docker_registry.bash
Last active
March 23, 2024 05:54
-
-
Save u1i/1ec704b5c099b407875128fe0b864735 to your computer and use it in GitHub Desktop.
Start docker registry with letsencrypt certificates and Basic Auth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# install docker | |
# https://docs.docker.com/engine/installation/linux/ubuntulinux/ | |
# install docker-compose | |
# https://docs.docker.com/compose/install/ | |
# install letsencrypt | |
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 | |
# Generate SSL certificate for domain | |
/opt/letsencrypt/letsencrypt-auto certonly --keep-until-expiring --standalone -d domain.example.com --email info@example.com | |
# Setup letsencrypt certificates renewing | |
line="30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renew.log" | |
(crontab -u root -l; echo "$line" ) | crontab -u root - | |
# Rename SSL certificates | |
# https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348 | |
cd /etc/letsencrypt/live/domain.example.com/ | |
cp privkey.pem domain.key | |
cat cert.pem chain.pem > domain.crt | |
chmod 777 domain.crt | |
chmod 777 domain.key | |
# Generate Password for Basic Auth | |
mkdir auth | |
docker run \ | |
--entrypoint htpasswd \ | |
registry:2 -Bbn testuser testpassword > auth/htpasswd | |
# https://docs.docker.com/registry/deploying/ | |
docker run -d -p 443:5000 --restart=always --name registry \ | |
-v /etc/letsencrypt/live/domain.example.com:/certs \ | |
-v /opt/docker-registry:/var/lib/registry \ | |
-v `pwd`/auth:/auth \ | |
-e "REGISTRY_AUTH=htpasswd" \ | |
-e "REGISTRY_AUTH_HTPASSWD_REALM=Axway Docker Registry" \ | |
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ | |
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ | |
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ | |
registry:2 | |
# List images | |
# https://domain.example.com/v2/_catalog |
Oh, good point.
As there is a volume in use, destroy and rebuild is probably the simple fix, but yeah doing the cert name shuffle in cron would be better.
Thanks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Look at the script on the lines between 21 and 25. This code is executed only once. It must be executed automatically each time the Letsencrypt runs the renewal of certificate (in cronjob, or by using Letsencrypt hooks). Otherwise these generated files will remain unchanged.
Even if the certificate file will be renewed (and the problem above will be fixed), I doubt that the https server (registry:2) knows that the certificate is has been changed. So probably, the https server will continue to use the old certificate until restart.
Sorry for my bad English.