HTTPS issue to local registry:2

[typoworx-de]

I've setup a docker-compose stack with docker registry:v2 and craneoperator. It worked fine with http-only. I've added mkcert local https authority.

I can reach my registry using https://registry-api.php-stack.docker:5000/ (desktop chrome says fine to https-cert).
But craneoperator web-ui tells me:

Error loading data from Registry
status code: 500

This is my stack simplyfied:

version: "3.7"

networks:
  default:
    name: php-stack.local
    external: true

volumes:
  cert-storage:
    name: php-stack-cert-storage
    driver: local
    driver_opts:
      type: none
      device: "$HOME/.local/share/mkcert"
      o: bind

  docker-registry-storage:
    name:  php-stack-docker-registry-storage
  docker-registry-config:
    name:  php-stack-docker-registry-config
  docker-registry-ui-auth:
    name:  php-stack-docker-registry-ui-auth
  docker-registry-ui-certs:
    name:  php-stack-docker-registry-ui-certs
  composer-cache:
    name: php-stack-composer-cache

services:
  cert-backend:
    image: vishnunair/docker-mkcert
    restart: "no"
    environment:
      domain: "*.php-stack.docker,127.0.0.11:5000"
    volumes:
      - "cert-storage:/root/.local/share/mkcert"

  docker-registry:
    image: registry:2
    restart: on-failure
    hostname: registry-api.php-stack.docker
    ports:
      - "127.0.0.11:5000:5000/tcp"
    networks:
      - default
    environment:
      #REGISTRY_HTTP_ADDR: "0.0.0.0:5000"
      REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/_wildcard.php-stack.docker.pem"
      REGISTRY_HTTP_TLS_KEY: "/certs/_wildcard.php-stack.docker-key.pem"
    volumes:
      - "cert-storage:/certs"
      - "docker-registry-storage:/var/lib/registry"
      - "docker-registry-config:/etc/docker/registry"

  docker-registry-ui:
    image: parabuzzle/craneoperator:latest
    restart: on-failure
    depends_on:
      - docker-registry
    hostname: registry.php-stack.docker
    networks:
      - default
    environment:
      REGISTRY_HOST: registry-api.php-stack.docker
      REGISTRY_PORT: 5000
      REGISTRY_PROTOCOL: https
      REGISTRY_SSL_VERIFY: false
      REGISTRY_ALLOW_DELETE: true
    volumes:
      # tried to make craneoperator trust the mkcert's too -- but no luck
      - "cert-storage:/usr/local/share/ca-certificates/"

Just to avoid the question - yes there are certs created by dockerized mkcert on my local-machine:

ls -lah $HOME/.local/share/mkcert
rootCA-key.pem
rootCA.pem
_wildcard.php-stack.docker-key.pem
_wildcard.php-stack.docker.pem

Any suggest? I currently have no live deployment for craneoperator to check ssl works fine there. But I think this should work somehow to if the SSL cert works at all for local development?

I would like to run the registry in https because docker and some other local gitlab-ci begin to suck about non-ssl requests to registry. Hacking my local docker daemon.json to trust insecure-registry is already done, but gitlab-ci runners on my local machine using docker:dind won't have this and that makes everything too confusing.

[typoworx-de]

Wow... that's funny. I think I've partly resolved my own ticket.

I've tested around and opened a shell in craneoperator docker-container. After running update-ca-certificates immediately the error in web-ui is gone and obviously everything works, at least until the container restarts.

I think it would make sense to run that command in docker-entrypoint or at least give an option to do so if required (or if there are files in '/usr/local/share/ca-certificates/').

update-ca-certificates

[typoworx-de]

I've patched locally like this:

docker/craneoperator/Dockerfile

FROM parabuzzle/craneoperator:latest

ADD --chmod=+x ./docker-entrypoint.sh /docker-entrypoint.sh

ENTRYPOINT ["sh", "/docker-entrypoint.sh"]
CMD ["bundle", "exec", "foreman", "start"]

docker/craneoperator/docker-entrypoint.sh

#!/bin/sh
set -e

if [ $(ls -1 /usr/local/share/ca-certificates/ | wc -l) -ne 0 ];
then
  update-ca-certificates
fi

if [ $# -gt 1 ] && [ x"$1" = x"/bin/sh" ] && [ x"$2" = x"-c" ]; then
  shift 2
  eval "set -- $1"
fi

exec "$@"