Docker Registry Charm

Enabling TLS with EasyRSA -- request respond with alert bad certificate

Bug #2066377 reported by Adam Dyess on 2024-05-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Docker Registry Charm	New	Undecided	Unassigned	Docker Registry Charm 1.31

Bug Description

When docker-registry is related to a certificate authority (like easyrsa or vault) as in https://ubuntu.com/kubernetes/docs/docker-registry, using curl to test the registry shows `alert bad certificate`

ubuntu@juju-a823e7-2:~$ curl --verbose --cacert /etc/docker/registry/ca.crt https://10.246.154.98:5000/v2/_catalog -k
* Trying 10.246.154.98:5000...
* Connected to 10.246.154.98 (10.246.154.98) port 5000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=10.246.154.98
* start date: May 16 09:06:48 2024 GMT
* expire date: May 14 09:06:48 2034 GMT
* issuer: CN=10.246.154.178
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5625c12a8eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /v2/_catalog HTTP/2
> Host: 10.246.154.98:5000
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS alert, bad certificate (554):
* OpenSSL SSL_read: error:0A000412:SSL routines::sslv3 alert bad certificate, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
* Connection #0 to host 10.246.154.98 left intact
curl: (56) OpenSSL SSL_read: error:0A000412:SSL routines::sslv3 alert bad certificate, errno 0

Adam Dyess (addyess) on 2024-05-22

Changed in layer-docker-registry:
milestone:	none → 1.31

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.