Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Use client-certificate for authentication on a private docker-registry in a bitbucket-pipeline

Hi, I'm using a bitbucket-pipeline to build, tag and push docker-images.
I'm having trouble using a client-certificate to authenticate with a private registry.


On my desktop-machine(ubuntu) when i try to push to the registry i receive the following error:

$ docker push REGISTRY_DOMAIN_NAME/myImage:0.5.6 
The push refers to repository [REGISTRY_DOMAIN_NAME/myImage]
Get https://REGISTRY_DOMAIN_NAME/v2/: remote error: tls: alert(116)

The ssl-error 116 code means certificate_required.

After i copied the certificates into the directory /etc/docker/certs.d/REGISTRY_DOMAIN_NAME the push completes successfully.

So i tried to replicate this within the bitbucket-pipeline. I'm writing the certificate-content from pipeline-variables into the same files as on my desktop-machine:

- mkdir -p /etc/docker/certs.d/REGISTRY_DOMAIN_NAME
- echo $DOCKER_CA_CRT > /etc/docker/certs.d/REGISTRY_DOMAIN_NAMEs/ca.crt
- echo $DOCKER_CLIENT_CRT > /etc/docker/certs.d/REGISTRY_DOMAIN_NAME/client.crt
- echo $DOCKER_CLIENT_KEY > /etc/docker/certs.d/REGISTRY_DOMAIN_NAME/client.key
- ls -al /etc/docker/certs.d/REGISTRY_DOMAIN_NAME/

The files are in the correct location:

+ ls -al /etc/docker/certs.d/REGISTRY_DOMAIN_NAME/
total 20
drwxrwxrwx. 2 root root 4096 Jan 15 09:24 .
drwxrwxrwx. 3 root root 4096 Jan 15 09:24 ..
-rw-rw-rw-. 1 root root 1647 Jan 15 09:24 ca.crt
-rw-rw-rw-. 1 root root 1696 Jan 15 09:24 client.crt
-rw-rw-rw-. 1 root root 1679 Jan 15 09:24 client.key

But in the bitbucket-pipeline the push still fails with the tls error 116.

Is there a way to use certificate-based authentication for a private docker-registry from within the bitbucket-pipeline?

1 answer

1 accepted

0 votes
Answer accepted

According to the Atlassian-support it is not possible to use client-certificates.

I'm using the docker-service of  bitbucket by declaring "docker: true" in the options of my build-pipeline.
In this case the docker-runtime is executed in a container other than my build-container. Therefore it is currently impossible to get the certificate-files into the filesystem of the docker-runtime.

My solution so far is to switch back to authentication by username/password.

Another solution might be to build your own build-container e.g. based on docker:dind which failed for me at various stages.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

3,827 views 10 16
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you