下载 证书
mkdir cert
cd cert
curl -u admin:brysjhhrhL356126155165352237656123165615 -o test_zk_cert.zip http://192.168.63.100:50000/remote.php/webdav/Documents/cert/5900588_test.zk.limengkai.work_other.zip
apt install unzip -y
unzip test_zk_cert.zip
ls
# 5900588_test.zk.limengkai.work.key 5900588_test.zk.limengkai.work.pem
mkdir -p certs
cat 5900588_test.zk.limengkai.work.pem > certs/domain.crt
cat 5900588_test.zk.limengkai.work.key > certs/domain.key
# -v "$(pwd)"/certs:/certs \
# /mnt/registry_certs:/certs
cp -a ./certs/ /work_continer_data/mnt/register_certs
# 在 compose 文件中添加 映射
# docker -v /work_continer_data/mnt/register_certs:/certs
docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry.cn-hangzhou.aliyuncs.com/mkmk/all:registry-latest
# docker compose
environment:
- RACK_ENV=development
- SHOW=true
- SESSION_SECRET
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
生成 自己的 证书
/etc/ssl
编辑openssl.cnf,在[v3_ca]下面添加:subjectAltName = IP:域名|IP地址
[ v3_ca ]
subjectAltName = IP:192.168.164.180
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout my.key -out my.pem
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout domain.key -out domain.crt
docker rm -f registry
docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry.cn-hangzhou.aliyuncs.com/mkmk/all:registry-latest
docker logs registry
生成 ca 证书
CA根证书的生成步骤
生成CA私钥(.key)-->生成CA证书请求(.csr)-->自签名得到根证书(.crt)(CA给自已颁发的证书)。
# Generate CA private key
openssl genrsa -out ca.key 2048
# Generate CSR
openssl req -new -key ca.key -out ca.csr
# Generate Self Signed certificate(CA 根证书)
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
mkdir certs
cat ca.key > certs/domain.key
cat ca.crt > certs/domain.crt
Use self-signed certificates
Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)
This is more secure than the insecure registry solution.
Generate your own certificate:
$ mkdir -p certs
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-addext "subjectAltName = DNS:myregistry.domain.com" \
-x509 -days 365 -out certs/domain.crt
# -addext "subjectAltName = IP:192.168.164.180" \
Be sure to use the name myregistrydomain.com as a CN.
Use the result to start your registry with TLS enabled.
Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.
# Linux: Copy the domain.crt file to
/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
# on every Docker host. You do not need to restart Docker.
Windows Server:
Open Windows Explorer, right-click the domain.crt file, and choose Install certificate. When prompted, select the following options:
Store location local machine
Place all certificates in the following store selected
Click Browser and select Trusted Root Certificate Authorities.
Click Finish. Restart Docker.
Docker Desktop for Mac: Follow the instructions in Adding custom CA certificates. Restart Docker.
Docker Desktop for Windows: Follow the instructions in Adding custom CA certificates. Restart Docker.
欢迎大家一起交流呀
qq群:3638803451
vx:wxid_sgdelhiwombj12
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· AI技术革命,工作效率10个最佳AI工具