1.配置SSL證書及nginx反向代理docker registry
搭建私有CA,初始化CA環境,在/etc/pki/CA/下建立證書索引數據庫文件index.txt和序列號文件serial,並為證書序列號文件提供初始值。
# touch /etc/pki/CA/{index.txt,serial} # echo 01 > /etc/pki/CA/serial
2.生成密鑰並保存到/etc/pki/CA/private/cakey.pem
# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
3.生成根證書
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
4.使系統信任根證書
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
5.安裝nginx,需要安裝openssl模塊。
https://www.cnblogs.com/liujuncm5/p/6713784.html
./configure --prefix=/app/nginx --conf-path=/app/nginx/conf/nginx.conf --pid-path=/app/nginx/conf/nginx.pid --lock-path=/var/lock/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_gzip_static_module --http-client-body-temp-path=/var/temp/nginx/client --http-proxy-temp-path=/var/temp/nginx/proxy --http-fastcgi-temp-path=/var/temp/nginx/fastcgi --http-uwsgi-temp-path=/var/temp/nginx/uwsgi --http-scgi-temp-path=/var/temp/nginx/scgi --with-http_ssl_module
6.簽發證書
創建ssl目錄用來存放密鑰文件和證書申請文件
# mkdir /app/nginx/conf/ssl
創建密鑰文件和證書申請文件
# (umask 077;openssl genrsa -out /app/nginx/conf/ssl/docker.key 2048) # openssl req -new -key /app/nginx/conf/ssl/docker.key -out /app/nginx/conf/ssl/docker.csr
7.簽署,證書
openssl ca -in /app/nginx/conf/ssl/docker.csr -out /app/nginx/conf/ssl/docker.crt -days 3650
8.重啟docker https://blog.51cto.com/haohao1010/2087489