2

I have a docker private registry.Now I want to pull image in minikube

kubectl run test --image=docker-registry.localdomain/others/test:latest --port=8077 --generator=run/v1

but I get an error

Failed to pull image "docker-registry.localdomain/others/test:latest": rpc error: code = Unknown desc = Error response from daemon: Get "https://docker-registry.localdomain/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0.

And I have try

export GODEBUG=x509ignoreCN=0; kubectl run test --image=docker-registry.localdomain/others/test:latest --port=8077 --generator=run/v1

But I still get the same error.

So how can I deploy this image by minikube?

PS: I can pull this image by docker pull

Jyothi Kiranmayi
  • 2,090
  • 5
  • 14
bin381
  • 342
  • 1
  • 4
  • 14
  • 1
    x509: certificate relies on legacy Common Name field, this error means that the certificate has the requested hostname or IP in the Common Name field, and not in the Subject Alternative Names extension. Check the version of Go and try upgrading the version. Try the steps mentioned in the [github link](https://github.com/golang/go/issues/39568#issuecomment-671424481). Let me know if this resolves your issue. – Jyothi Kiranmayi Sep 29 '21 at 13:32
  • @JyothiKiranmayi thanks! But I can't find any solution in your github link – bin381 Sep 30 '21 at 01:43
  • As it was mentioned before, most likely something is incorrect with certificate which is used on `docker registry` side. How is it deployed? Is it located within the cluster or outside? I assume `minikube registry-creds` was enabled and set up. [Pull image from private registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) Another option is to run is insecure (for testing is enough). – moonkotte Sep 30 '21 at 13:59
  • @moonkotte I have tried cred, but it still not works – bin381 Oct 08 '21 at 09:02

2 Answers2

2

Solution :
1.Create new certificates in docker registry using : 

openssl req -x509 -out registry.crt -keyout registry.key -days 1825 \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=your-retistry.com' -extensions EXT -config <( \
   printf "[dn]\nCN=your-retistry.com\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:your-retistry.com\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

Reference

Sachith Muhandiram
  • 2,819
  • 10
  • 45
  • 94
0

You can add the registry to insecure-registries list in you docker config file as explained in this solution. Please be aware that this is a workaround if you don't want to fix the certificate.

pkobielak
  • 1