Unable to login to gitlab container registry from another server

Hi All,

Try to install gitlab & gitlab container registry in Centos 7, the setup is done through gitlab docker image & the container registry is set with its own domain (i.e: gitlab.centos.local for gitlab, and registry.centos.local for the registry).

We try to use a self signed certificate for both gitlab & container registry, however we always encounter issue when trying to perform docker login from a different host, whereas locally (on the gitlab host itself) is fine.

We are using the latest “gitlab/gitlab-ce” docker images, which seems to be “GitLab Community Edition 8.11.5 f1ce997”, and we are using “Docker version 1.12.1, build 23cf638”

Steps for installing & reproducing the error:

  • Create the self-signed certificate for both gitlab & registry

[root@Host1 ]# openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout gitlab.centos.local.key -days 365 -out gitlab.centos.local.crt
[root@Host1 ]# openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout registry.centos.local.key -days 365 -out registry.centos.local.crt

  • Adding the self signed certs to be trusted in the host OS

[root@Host1 ]# cp gitlab.centos.local.crt /etc/pki/ca-trust/source/anchors/
[root@Host1 ]# cp registry.centos.local.crt /etc/pki/ca-trust/source/anchors/
[root@Host1 ]# cp gitlab.centos.local.crt /usr/share/pki/ca-trust-source/anchors/
[root@Host1 ]# cp registry.centos.local.crt /usr/share/pki/ca-trust-source/anchors/
[root@Host1 ]# update-ca-trust extract

  • Adding the registry.centos.local.crt to be tusted by docker

[root@Host1 ]# cp registry.centos.local.crt /etc/docker/certs.d/registry.centos.local/ca.crt
[root@Host1 ]# systemctl restart docker

  • Run the gitlab-ce container

[root@Host1 ]# docker run -d
–hostname gitlab.centos.local
-p 80:80
-p 443:443
–name gitlab
–volume /srv/gitlab/config:/etc/gitlab
–volume /srv/gitlab/logs:/var/log/gitlab
–volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latest

  • Move the self signed certs into

[root@Host1 ]# cp gitlab.centos.local.* /srv/gitlab/config/ssl/
[root@Host1 ]# cp registry.centos.local.* /srv/gitlab/config/ssl/

  • Modify gitlab.rb to have the following lines and restart gitlab docker

    external_url “https://gitlab.centos.local
    registry_external_url “https://registry.centos.local
    nginx[‘redirect_http_to_https’] = true
    nginx[‘ssl_certificate’] = “/etc/gitlab/ssl/gitlab.centos.local.crt”
    nginx[‘ssl_certificate_key’] = “/etc/gitlab/ssl/gitlab.centos.local.key”

  • Restart gitlab container

[root@Host1 ]# docker restart gitlab

  • Login to gitlab at https://gitlab.centos.local, adding user “test” and project “busybox”

  • Try docker login from the gitlab host itself, and everything looks fine

[root@Host1 ]# docker login registry.centos.local
Username: test
Password:
Login Succeeded

  • Go to another VM (called “Host2”) with the same environment setting (Centos 7, Docker 1.12.1). Set the self-signed certs to be trusted there & do a docker login, got the following error

[root@Host2 ]# docker login registry.centos.local
Username: test
Password:
Error response from daemon: Get https://registry.centos.local/v2/: Get https://gitlab.centos.local/jwt/auth?account=test&client_id=docker&offline_token=true&service=container_registry: x509: certificate signed by unknown authority

This is the error message recorded in the registry log

/var/log/gitlab/registry/current

2016-09-12_06:44:43.19497 time=“2016-09-12T06:44:43.194788182Z” level=warning msg=“error authorizing context: authorization token required” environment=production go.version=go1.5.4 http.request.host=registry.centos.local http.request.id=b768683a-465d-47c0-895d-4880ba827d08 http.request.method=GET http.request.remoteaddr=192.168.xx.xx http.request.uri="/v2/" http.request.useragent=“docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/3.10.0-327.28.3.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \(linux\))” instance.id=d4678871-d4ab-4183-899c-bdcd7b6dbeb1 service=registry version=v2.4.1

Any pointer / help is greatly appreciated