From 58e5c619acb2a5cc8520f6aadd34c7f1d1b308ae Mon Sep 17 00:00:00 2001 From: Luke Carpenter Date: Thu, 9 Jul 2015 23:28:08 +0100 Subject: [PATCH 1/3] Include configuration explanation for intermediate TLS certificates Intermediate certificates are issued by TLS providers who themselves are an intermediate of a certificate in the trust store. Therefore, to prove the chain of trust is valid, you need to include their certificate as well as yours when you send your certificate to the client. Contrary to what I said in issue #683, distribution can handle these certificate bundles like nginx. As discussed in #docker-distribution, I have updated the deployment documentation (which recommends the use of a TLS certificate from a provider) to include instructions on how to handle the intermediate certificate when a user is configuring distribution. Signed-off-by: Luke Carpenter --- docs/deploying.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/deploying.md b/docs/deploying.md index 5ab01ba43..09adac6d7 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -89,6 +89,8 @@ docker run -d -p 5000:5000 \ registry:2 ``` +If the certificate issuer supplies you with an 'intermediate' certificate, such as Gandi, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt GandiStandardSSLCA2.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable. + **Pros:** - best solution From 3389ca8fa650f8103e979f3d60237743fa04c717 Mon Sep 17 00:00:00 2001 From: Luke Carpenter Date: Thu, 9 Jul 2015 23:40:32 +0100 Subject: [PATCH 2/3] Remove mention of a third-party service Signed-off-by: Luke Carpenter --- docs/deploying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploying.md b/docs/deploying.md index 09adac6d7..3b136694f 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -89,7 +89,7 @@ docker run -d -p 5000:5000 \ registry:2 ``` -If the certificate issuer supplies you with an 'intermediate' certificate, such as Gandi, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt GandiStandardSSLCA2.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable. +If the certificate issuer supplies you with an 'intermediate' certificate, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt intermediate-certificates.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable. **Pros:** From 03db92abb38c66925bfb7be7e3886465678b75a1 Mon Sep 17 00:00:00 2001 From: Luke Carpenter Date: Fri, 10 Jul 2015 22:10:25 +0100 Subject: [PATCH 3/3] update copy with content from @moxiegirl Signed-off-by: Luke Carpenter --- docs/deploying.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/deploying.md b/docs/deploying.md index 3b136694f..ef44641a0 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -89,7 +89,13 @@ docker run -d -p 5000:5000 \ registry:2 ``` -If the certificate issuer supplies you with an 'intermediate' certificate, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt intermediate-certificates.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable. +A certificate issuer may supply you with an *intermediate* certificate. In this case, you must combine your certificate with the intermediate's to form a *certificate bundle*. You can do this using the `cat` command: + +``` +$ cat server.crt intermediate-certificates.pem > server.with-intermediate.crt +``` + +You then configure the registry to use your certificate bundle by providing the `REGISTRY_HTTP_TLS_CERTIFICATE` environment variable. **Pros:**