nginx 代理 registry docker certificate is valid for k8s, not curl /v2/_catalog

1.配置SSL证书及nginx反向代理docker registry

搭建私有CA，初始化CA环境，在/etc/pki/CA/下建立证书索引数据库文件index.txt和序列号文件serial，并为证书序列号文件提供初始值。

# touch /etc/pki/CA/{index.txt,serial}
# echo 01 > /etc/pki/CA/serial

2.生成密钥并保存到/etc/pki/CA/private/cakey.pem

# (umask 077;openssl genrsa -out  /etc/pki/CA/private/cakey.pem 2048)

3.生成根证书

# openssl req -new -x509 -key  /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650

4.使系统信任根证书

# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

5.安装nginx,需要安装openssl模块。

https://www.cnblogs.com/liujuncm5/p/6713784.html

./configure --prefix=/app/nginx --conf-path=/app/nginx/conf/nginx.conf --pid-path=/app/nginx/conf/nginx.pid --lock-path=/var/lock/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_gzip_static_module --http-client-body-temp-path=/var/temp/nginx/client --http-proxy-temp-path=/var/temp/nginx/proxy --http-fastcgi-temp-path=/var/temp/nginx/fastcgi --http-uwsgi-temp-path=/var/temp/nginx/uwsgi --http-scgi-temp-path=/var/temp/nginx/scgi  --with-http_ssl_module

6.签发证书

创建ssl目录用来存放密钥文件和证书申请文件

# mkdir /app/nginx/conf/ssl

创建密钥文件和证书申请文件

# (umask 077;openssl genrsa -out /app/nginx/conf/ssl/docker.key 2048)
# openssl req -new -key /app/nginx/conf/ssl/docker.key -out /app/nginx/conf/ssl/docker.csr

7.签署，证书

openssl ca -in /app/nginx/conf/ssl/docker.csr -out /app/nginx/conf/ssl/docker.crt -days 3650

8.重启docker https://blog.51cto.com/haohao1010/2087489