Question posted in
The official documentation can be found here.

docker login failed to Sonatype Nexus

There is a remote docker repository on nexus.connex.ro:8063.

I want to skip certificate validation so I have added the repository as "insecure-registries".
Unfortunately when I try to login it still complains tls: failed to verify certificate:

This is my /etc/docker/daemon.json

{
  "insecure-registries" : ["nexus.connex.ro:8063"]
}

The remote repository use a self singed certificate. I have tried to save the cert into a file and put it into the /etc/docker/certs.d/nexus.connect.ro/ folder as a .crt file, but nothing changed.

This is the error message what I got:

Error response from daemon: Get "https://nexus.connex.ro:8063/v2/": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead

Any advise how to fix?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Finally I was able to find what is the issue. Despite of I have "insecure-repositories" in my /etc/docker/daemon.json my docker service did not pick it up. docker info command indicate this becasue only 127.0.0.0/8 was under the Insecure Registries:

    Why? Becasue it was installed by snap! This installation have other daemon.json in /snap/docker/2963/config/daemon.json and of course this have no insecure settings.

    Editing the proper daemon.json fixed the issue.


  2. 0

    Based on the error message, the issue is with an older certificate format using Common Name (CN) instead of Subject Alternative Names (SANs). Here’s what you need to do:

    For Docker versions 20.10 and newer, you actually need to modify your daemon.json like this:

    {
  "insecure-registries": ["nexus.connex.ro:8063"],
  "allow-nondistributable-artifacts": ["nexus.connex.ro:8063"]
}

    Then restart Docker with:

    sudo systemctl restart docker

    If this still doesn’t work, the alternative solution would be to regenerate your self-signed certificate with SANs included. The old CN-only certificates are considered legacy and unsafe by modern TLS implementations.

    Hope this helps! Let me know if you still have issues.

    Edit: If regenerating the cert isn’t an option and the above doesn’t work, you might need to fall back to HTTP instead of HTTPS by reconfiguring your registry to use plain HTTP. Not ideal for security, but sometimes necessary in dev environments.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search