Hi, I'm using a bitbucket-pipeline to build, tag and push docker-images.
I'm having trouble using a client-certificate to authenticate with a private registry.
On my desktop-machine(ubuntu) when i try to push to the registry i receive the following error:
$ docker push REGISTRY_DOMAIN_NAME/myImage:0.5.6
The push refers to repository [REGISTRY_DOMAIN_NAME/myImage]
Get https://REGISTRY_DOMAIN_NAME/v2/: remote error: tls: alert(116)
The ssl-error 116 code means certificate_required.
After i copied the certificates into the directory /etc/docker/certs.d/REGISTRY_DOMAIN_NAME the push completes successfully.
So i tried to replicate this within the bitbucket-pipeline. I'm writing the certificate-content from pipeline-variables into the same files as on my desktop-machine:
- mkdir -p /etc/docker/certs.d/REGISTRY_DOMAIN_NAME
- echo $DOCKER_CA_CRT > /etc/docker/certs.d/REGISTRY_DOMAIN_NAMEs/ca.crt
- echo $DOCKER_CLIENT_CRT > /etc/docker/certs.d/REGISTRY_DOMAIN_NAME/client.crt
- echo $DOCKER_CLIENT_KEY > /etc/docker/certs.d/REGISTRY_DOMAIN_NAME/client.key
- ls -al /etc/docker/certs.d/REGISTRY_DOMAIN_NAME/
The files are in the correct location:
+ ls -al /etc/docker/certs.d/REGISTRY_DOMAIN_NAME/
total 20
drwxrwxrwx. 2 root root 4096 Jan 15 09:24 .
drwxrwxrwx. 3 root root 4096 Jan 15 09:24 ..
-rw-rw-rw-. 1 root root 1647 Jan 15 09:24 ca.crt
-rw-rw-rw-. 1 root root 1696 Jan 15 09:24 client.crt
-rw-rw-rw-. 1 root root 1679 Jan 15 09:24 client.key
But in the bitbucket-pipeline the push still fails with the tls error 116.
Is there a way to use certificate-based authentication for a private docker-registry from within the bitbucket-pipeline?
According to the Atlassian-support it is not possible to use client-certificates.
I'm using the docker-service of bitbucket by declaring "docker: true" in the options of my build-pipeline.
In this case the docker-runtime is executed in a container other than my build-container. Therefore it is currently impossible to get the certificate-files into the filesystem of the docker-runtime.
My solution so far is to switch back to authentication by username/password.
Another solution might be to build your own build-container e.g. based on docker:dind which failed for me at various stages.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.