LCTRT

Using a local CA for SSL certificates

In my previous post, I explain how I created a private docker image registry. But without https support, this was marked as an insecure registry and each docker context then needed to be configured to accept it. The next step for my homelab setup is to add TLS (transport layer security) config. I will use mkcert to create a local CA to generate certificate for all my virtual machines.

What is the purpose of a certificate authority (CA)

A Certificate Authority act like a notary, they generate trusted certificates that will be held by the nodes in my system. I can use my laptop as a CA, since once the certificate is signed, the CA is not needed again (until I need to generate new certificates of course).

Using mkcert

# Installing mkcert on the macbook
brew install mkcert

# create a new local CA
mkcert -install

# generate a cert for my VM
mkcert <ip> <hostname> localhost

This will generate 2 files, a certificate and a key. I can then copy them on my VM:

scp cert.pem docker-vm-1:/etc/registry/certs
scp key.pem docker-vm-1:/etc/registry/certs

For each machine that will use certificates created by the local CA, we need to give the the root CA certificate so they can trust certificates it creates.

# on the local machine, this will give the location of the rootCA.pem file
mkcert -CAROOT

# on each remote machine, add the file to the ca certificates folder and update
sudo cp rootCA.pem /usr/local/share/ca-certificates/mkcert-ca.crt
sudo update-ca-certificates

Using the new certificate for the private image registry

Now I need to use the new certificate with the registry. I’ll first update the docker-compose.yaml file:

services:
  registry:
    image: registry:3.0
    restart: unless-stopped
    ports:
      - "5000:5000"
    environment:
      REGISTRY_HTTP_ADDR: 0.0.0.0:5000
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/cert.pem
      REGISTRY_HTTP_TLS_KEY: /certs/key.pem
    volumes:
      - /etc/registry/certs:/certs

Once the registry is using the TLS config, that means we can remove it from the insecure-registries config.

Summary

Adding a local CA and TLS config for the registry was less work than I expected, and an easy follow up to setting up the registry itself. That will be an easy setup to reuse for other local TLS requirements.