OpenSSL::SSL::SSLError: could not stablish connection: SSL error.

[Nols1000]

Hi,

I'm using portus and Registry/Distribution on a Docker-Swarm (currently just 1 node) and behind a Docker Flow Proxy (HAProxy). The Registry runs at port 443 with a certificated signed with my own CA. Portus runs at port 443 and subRoot '/portus'.

When I try to setup the connection of the Registry and Portus it fails with "OpenSSL::SSL::SSLError: could not stablish connection: SSL error. You can skip this check by clicking on the "Skip remote checks" checkbox.".

Response of /portus/api/v1/registries/validate?name=Local+Registry&hostname=docker-registry01.local&external_hostname=&use_ssl=true&force=false&only%5B%5D=hostname:

{"messages":{"hostname":["OpenSSL::SSL::SSLError: could not stablish connection: SSL error."]},"valid":false}

Docker-Compose File

version: '3'

services:
  redis:
    image: redis:alpine
    command: redis-server /etc/redis/config.conf
    networks:
      - default
    volumes:
      - ./config/redis/config.conf:/etc/redis/config.conf

  registry:
    image: registry:2
    depends_on:
      - redis
    networks:
      - default
      - proxy
    ports:
      - 5000
    environment:
      - REGISTRY_AUTH_TOKEN_REALM=https://docker-registry01.local/portus/v2/token
      - REGISTRY_AUTH_TOKEN_SERVICE=docker-registry01.local
      - REGISTRY_AUTH_TOKEN_ISSUER=docker-registry01.local
      - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/etc/ssl/certs/docker-registry01.local.crt
      - REGISTRY_HTTP_SECRET=****
      - REGISTRY_REDIS_ADDR=redis:6379
      - REGISTRY_STORAGE_DELETE_ENABLED=true
      - REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR=redis
    volumes:
      - ./data/registry:/var/lib/registry
      - /etc/ssl/certs:/etc/ssl/certs:ro
      - ./config/registry/config.yml:/etc/docker/registry/config.yml
    deploy:
      replicas: 1
      labels:
        - com.df.notify=true
        - com.df.port=5000
        - com.df.serviceDomain=docker-registry01.local

  mariadb:
    image: library/mariadb:10.0.23
    networks:
      - default
    ports:
      - 3306
    environment:
      MYSQL_ROOT_PASSWORD: ****
    volumes:
      - ./data/mysql:/var/lib/mysql

  portus:
    image: opensuse/portus:2.3
    depends_on:
      - mariadb
    networks:
      - default
      - proxy
    ports:
      - 3000
    environment:
      RAILS_SERVE_STATIC_FILES: 'true'
      RAILS_RELATIVE_URL_ROOT: /portus
      PORTUS_DB_HOST: mariadb
      PORTUS_DB_USERNAME: ****
      PORTUS_DB_PASSWORD: ****
      PORTUS_DB_DATABASE: ****
      PORTUS_DELETE_ENABLED: 'true'
      PORTUS_MACHINE_FQDN_VALUE: docker-registry01.local
      PORTUS_CHECK_SSL_USAGE_ENABLED: 'false'
      PORTUS_SECRET_KEY_BASE: ****
      PORTUS_KEY_PATH: /certificates/docker-registry01.local.key
      PORTUS_PASSWORD: ****
      PORTUS_SIGNUP_ENABLED: 'false'
    volumes:
      - ./config/portus:/etc/portus
      - ./secrets:/certificates:ro
    deploy:
      replicas: 1
      labels:
        - com.df.notify=true
        - com.df.port=3000
        - com.df.servicePath=/portus
        - com.df.serviceDomain=docker-registry01.local

#  portus-background:
#    image: opensuse/portus:latest
#    entrypoint: bundle exec rails runner /svr/Portus/bin/background.rb
#    networks:
#      - default
#    depends_on:
#      - portus
#      - mariadb
#    environment:
#      - PORTUS_DB_HOST=mariadb
#      - PORTUS_DB_USERNAME=****
#      - PORTUS_DB_PASSWORD=****
#      - PORTUS_DB_DATABASE=****


networks:
  default:
    external: false
  proxy:
    external: true

Portus Logs (NOTE PORTUS_LOG_LEVEL: debug does not provide more relevant information):

Started GET "/portus/admin/registries/1/edit" for 10.0.0.10 at 2018-02-06 17:01:12 +0000
Processing by Admin::RegistriesController#edit as HTML
  Parameters: {"id"=>"1"}
  Rendered admin/registries/components/_form.html.slim (2.7ms)
  Rendered admin/registries/edit.html.slim within layouts/application (3.3ms)
  Rendered shared/_header.html.slim (0.9ms)
  Rendered shared/_aside.html.slim (0.7ms)
  Rendered shared/_search.html.slim (0.2ms)
  Rendered shared/_notification.html.slim (0.1ms)
  Rendered shared/_notifications.html.slim (0.2ms)
Completed 200 OK in 12ms (Views: 7.8ms | ActiveRecord: 0.9ms)
Started GET "/portus/api/v1/registries/validate?name=Local+Registry&hostname=doc&external_hostname=&use_ssl=false&force=false&only%5B%5D=hostname" for 10.0.0.10 at 2018-02-06 17:01:17 +0000
SocketError: connection refused.
Started GET "/portus/api/v1/registries/validate?name=Local+Registry&hostname=do&external_hostname=&use_ssl=false&force=false&only%5B%5D=hostname" for 10.0.0.10 at 2018-02-06 17:01:18 +0000
SocketError: connection refused.
Started GET "/portus/api/v1/registries/validate?name=Local+Registry&hostname=docke&external_hostname=&use_ssl=false&force=false&only%5B%5D=hostname" for 10.0.0.10 at 2018-02-06 17:01:20 +0000
SocketError: connection refused.
Started GET "/portus/api/v1/registries/validate?name=Local+Registry&hostname=docker-registry01.local&external_hostname=&use_ssl=false&force=false&only%5B%5D=hostname" for 10.0.0.10 at 2018-02-06 17:01:23 +0000
Started GET "/portus/api/v1/registries/validate?name=Local+Registry&hostname=docker-registry01.local&external_hostname=&use_ssl=true&force=false&only%5B%5D=hostname" for 10.0.0.10 at 2018-02-06 17:01:25 +0000
OpenSSL::SSL::SSLError: could not stablish connection: SSL error.

Portus Information:

[Mailer config] Host:     portus.test.lan
[Mailer config] Protocol: https://
Evaluated configuration:
---
email:
  from: portus@example.com
  name: Portus
  reply_to: no-reply@example.com
  smtp:
    enabled: false
    address: smtp.example.com
    port: 587
    user_name: username@example.com
    password: "****"
    domain: example.com
gravatar:
  enabled: true
delete:
  enabled: true
ldap:
  enabled: false
  hostname: ldap_hostname
  port: 389
  method: plain
  base: ''
  filter: ''
  uid: uid
  authentication:
    enabled: false
    bind_dn: ''
    password: "****"
  guess_email:
    enabled: false
    attr: ''
oauth:
  google_oauth2:
    enabled: false
    id: ''
    secret: ''
    domain: ''
    options:
      hd: ''
  open_id:
    enabled: false
    identifier: ''
    domain: ''
  github:
    enabled: false
    client_id: ''
    client_secret: ''
    organization: ''
    team: ''
    domain: ''
  gitlab:
    enabled: false
    application_id: ''
    secret: ''
    group: ''
    domain: ''
    server: ''
  bitbucket:
    enabled: false
    key: ''
    secret: ''
    domain: ''
    options:
      team: ''
first_user_admin:
  enabled: true
signup:
  enabled: false
check_ssl_usage:
  enabled: false
registry:
  jwt_expiration_time:
    value: 5
  catalog_page:
    value: 100
  timeout:
    value: 2
  read_timeout:
    value: 120
machine_fqdn:
  value: docker-registry01.local
display_name:
  enabled: false
user_permission:
  change_visibility:
    enabled: true
  create_team:
    enabled: true
  manage_team:
    enabled: true
  create_namespace:
    enabled: true
  manage_namespace:
    enabled: true
security:
  clair:
    server: ''
    health_port: 6061
  zypper:
    server: ''
  dummy:
    server: ''
anonymous_browsing:
  enabled: true

Portus version: 2.3.0@6c27eb83e3b23b12ce62d39e6823ec8cf5747921

NOTE: I've replaced my domain name with docker-registry01.local.

[Vad1mo]

So in you case the DFP is doing TLS and also Portus. So what happens here is that you have

REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/etc/ssl/certs/docker-registry01.local.crt
PORTUS_KEY_PATH: /certificates/docker-registry01.local.key

however when the registry is talking to portus it see another cert. the one for DFP.

If you want to do TLS on DFP and on Portus you have to do the communication between Portus <-> Registry not over public domain but service names. This is possible, you then have to enter in the registry admin section registry:5000 and in External Registry Name the public domain.

However I would recommend you do the TLS termination only of DFP and leave the rest unsecure

[Nols1000]

Thanks for the fast response. I will try it tomorrow.

[Vad1mo]

sorry I see it now in the config, i was telling you BS, you are not doing TLS on Portus.

It seems like you want to set the registry in the admin section.

However from your DFP config I can't see that you are doing TLS on the registry, Try it without TLS first (Setting in the Portus Admin section) and see if that works. Then enable TLS in DFP and change the setting in the Portus admin section.

[Nols1000]

When I set the hostname to registry:5000 it works. And if I connect from outside to https://docker-registry01.local with my browser it says my certificate is valid.

[Vad1mo]

you have the same domain for registry and ui. docker-registry01.local its a bit tricky but it works.
I even have it setup without the /portus path. See. vfarcic/docker-flow-proxy#409

If you have set registry:5000 you need to set docker-registry01.local under advanced. Omit TLS in this case

[Nols1000]

I'll check both options thanks

[dlednik]

I have similar issue :(

I checked out from git on fresh unRAID install. I have certificates set up and all the containers spin up.
I can login to the registry with docker login from my other server which is a different physical machine from unRAID server running registry and portus.

In Portus I can not make it connect with SSL to my registry. I tried different ways to address the registry container and nothing works. From portus container I can ping registry and it returns correct container IP. But registry:5000 still returns SSL errors and that it can not connect to registry.

Second issue I have is that I can not force new settings even with the Skip remote checks checkbox wich is also anoying.

[mssola]

@dlednik there must be something that you are missing in regards to SSL, which I'm sure is specific to your setup so I don't know if I'll be able to help much. From the Portus side make sure to use the proper PORTUS_CHECK_SSL_USAGE_ENABLED value to fit your case, and make sure that from the Portus container you can establish an SSL connection to the registry. Another common pitfall is a firewall blocking your requests and stuff like that.

I'm going to close this issue now, since I think this is not to blame on Portus itself. That being said, feel free to leave more comments.

[Nols1000]

I have set the external url to docker-registry01.local and it works fine now. But I dont get why my ssl setup was not working. @mssola Would it be possible to get a more accurate error message?

[dlednik]

I solved it by installing harbor from vmware :)
After install, I only had to change 2 setting in config scripts because I overlooked it in their instructions.

It turns out even for me (not a beginner) it's just too much hassle to set it up Portus and make it work. Might be just an issue with the unRaid setup and I don't want to trade that for something else as it serves as a NAS primarily. And running registry on top seemed like a good combination.

[mssola]

I have set the external url to docker-registry01.local and it works fine now. But I dont get why my ssl setup was not working. @mssola Would it be possible to get a more accurate error message?

@Nols1000 Yes, that's something we can definitely improve. I just created #1683 to track this. Thanks for the feedback!