Docker Registry Using Godaddy Certificate

I’ve been spending few hours to solve this issue recently so I think it is worth to share.

The goal is to setup Docker Registry on production machine that is accessible through internet — especially for my Kubernetes cluster. The steps has been pretty clear from Docker’s documentation.

Basically, here’s my command to run Docker Registry.

After purchasing SSL certificate from Godaddy, I received these files.

Here’s inside _.curphoo.com.zip

Initially, I simply take file generated-private-key.txt and rename it into server-curphoo.key. As for certificate, I take file 8b261369aa632e17.crt and renamed it into server-curphoo.crt.

I started Docker Registry, and tried to login. It failed with following error:

“Get https://xxxxx.curphoo.com:35000/v2/: x509: certificate signed by unknown authority exit: 1”

I tried to check the certificate information and it looked fine.

The official docs informing something related to intermediate certificate, but I wasn’t quite sure what that means initially.

PKI (Public Key Infrastructure) is following chain-of-trust model. Here’s a bit of information related to intermediate certificate.

An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.

Creating certificates directly from the CA root certificate increases the risk of root certificate compromise, and if the CA root certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. The usage of intermediate certificates for issuing SSL certificates to end entities, therefore, provides an added level of security. You must install the intermediate certificate in your Web server along with your issued SSL certificate to complete the trust chain and allow the certificate to be effective.

So, basically, in GoDaddy cases, a file named “gd_bundle-g2-g1.crt” is an intermediate certificate. We need to “combined” it with our domain certificate to create full-chained certificate. Here’s in my case,

Re-run the Docker Registry container creation, and tried to login.

Voila! 😊