letencrypt disabled tls-sni-01 challenge. registry image doesn't support fallback challenges.

[steve-taylor]

This

docker run -d -p 443:5000 --name registry --restart=always \
 -v $(pwd)/var/lib/registry:/var/lib/registry \
 -v $(pwd)/auth:/auth \
 -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
 -e REGISTRY_HTTP_HOST=https://docker.example.com \
 -e REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE=/etc/docker/registry/letsencrypt.json \
 -e REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL=admin@example.com \
 -e REGISTRY_AUTH_HTPASSWD_REALM=example \
 -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
 registry:2

produces this (in the logs)

2018/03/10 22:29:15 [INFO] acme: Registering account for admin@example.com
time="2018-03-10T22:29:16Z" level=info msg="listening on [::]:5000, tls" go.version=go1.7.6 instance.id=46277ada-99d7-458e-aa24-7ef9b9009f86 version=v2.6.2
2018/03/10 22:29:44 [INFO][docker.example.com] acme: Obtaining bundled SAN certificate
2018/03/10 22:29:45 [INFO][docker.example.com] acme: Could not find solver for: dns-01
2018/03/10 22:29:45 [INFO][docker.example.com] acme: Could not find solver for: http-01
2018/03/10 22:29:45 http: TLS handshake error from 120.17.222.195:41255: map[docker.example.com:[docker.example.com] acme: Could not determine solvers]

This is caused by letsencrypt disabling the tls-sni-01 challenge which uses port 443. It falls back to the http-01 challenge which uses port 80, and the dns-01 challenge which uses port 53, but the registry accepts connections on only one port.

More information here: https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188.

Essentially, this means the bundled letsencrypt support is completely useless now. It should either be completely removed from registry or support http-01 needs to be added.

[alexbadm]

any progress on this task?

[DiskoJordan]

Yes, any progress please ?

[tamasgal]

Is there a workaround?

[jaydrogers]

I was able to get a stable workaround running by using Traefik as a reverse proxy. It handles all of my Let's Encrypt SSL automatically for the "front end". It then passes the web traffic to my registry that is running a self-signed certificate. Since I have both containers running on the same docker private network, that works great for me and the user does not get any SSL validation errors.

After getting that all set up, I realized that all registry users could push and pull images to the registry. Since that could be a huge security issue, I attempted to configure "Portus" to run along with my registry for managing access. After that attempt crashed and burned, I finally settled on cesanta/docker_auth which was not too bad to configure. This allows me to set roles and access permissions on a per user/device basis.

Using these methods, I now have a private docker registry that is automatically secured with Let's Encrypt. Best of all, it is backed by Amazon S3 as well so I can destroy and re-create the container and not have to worry about losing any images.

Sorry for the lengthy post, but thought I would share my experiences incase it helped anyone else out. It sure did take a while to figure that all out 😀

[tamasgal]

Thanks Jay, I am now manually doing the letsencrypt certificate generation and renewal. 🙈

[ASHWINI-GUPTA]

Find workaround by using Nginx-Proxy as Reverse Proxy with Let's Encrypt companion container. Companion container allows the creation or renewal of Let's Encrypt certificates automatically.

[jaydrogers]

Awesome @ASHWINI-GUPTA! That should work too.

Just reporting back that since my original post, the Traefik container for front end has been working perfectly. No issues since set up as well.

[andreasferber]

Just as a heads up, Let's Encrypt now supports the TLS-ALPN-01 challenge type, which once again requires only port 443 to work. Implementations seem to be pretty rare at the moment though. https://letsencrypt.org/docs/challenge-types/

[davidspek]

@milosgajdos Is this still something that is wanted for v3, or would it be possible to not have this block the v3 release?

[milosgajdos]

In the past a few folks asked about this hence why this is in the v3 milestone.

[davidspek]

I think #3943 might be related or actually solve this issue.

[lavalleeale]

Yes, it works with current letsencrypt and other modern acme servers

[milosgajdos]

@steve-taylor I believe these two merges addressed the woes on the main branch:

• replace rsc.io/letsencrypt in favour of golang.org/x/crypto #2926
• Added support for specifying ACME-server by using REGISTRY_HTTP_TLS_LETSENCRYPT_DIRECTORYURL #3942

Do you mind verifying and/or closing?

[davidspek]

@milosgajdos Do you think this can be closed and re-opened if the issue reoccurs? Given the age of this issue I think that might be best and would remove this from the v3 milestone list.

[milosgajdos]

Agreed, closing. If the issue hasnt been fixed @steve-taylor, feel free to reopen.