Description of problem: Docker certs are signed with wrong hosts. Version-Release number of selected component (if applicable): iso 20161110 How reproducible: always Steps to Reproduce: 1. attach RH docker repo to RHUI (RH content repo needed too, see BZ 1356695 comment #6) 2. add CDS, HAP, sync repos 3. generate an entitlement cert, create a custom cli rpm 4. install the custom cli rpm on CLI 5. configure docker, point it to CDS 6. docker pull $docker_repo Actual results: [root@cli01 ~]# vi /etc/sysconfig/docker [root@cli01 ~]# systemctl restart docker [root@cli01 ~]# docker pull rhel_cert_docker Using default tag: latest Trying to pull repository cds.example.com:5000/rhel_cert_docker ... unable to ping registry endpoint https://cds.example.com:5000/v0/ v2 ping attempt failed with error: Get https://cds.example.com:5000/v2/: x509: certificate is valid for cds02.example.com, not cds.example.com v1 ping attempt failed with error: Get https://cds.example.com:5000/v1/_ping: x509: certificate is valid for cds01.example.com, not cds.example.com Trying to pull repository docker.io/library/rhel_cert_docker ... Pulling repository docker.io/library/rhel_cert_docker Error: image library/rhel_cert_docker not found Error: image library/rhel_cert_docker not found Expected results: successful pulling of docker repo Additional info: adding INSECURE_REGISTRY='--insecure-registry cds.example.com:5000' to /etc/sysconfig/docker allows to pull repo content. docker pull rhel_cert_docker Using default tag: latest Trying to pull repository cds.example.com:5000/rhel_cert_docker ... latest: Pulling from cds.example.com:5000/rhel_cert_docker 30cf2e26a24f: Pull complete 99dd41655d8a: Pull complete 27dc5eaef277: Pull complete Digest: sha256:83d4e7a94b123449557323292c688141b858f479cf351c7d630c7018a0dd9dad Status: Downloaded newer image for cds.example.com:5000/rhel_cert_docker:latest
3. generate an entitlement cert, create a custom cli rpm 4. install the custom cli rpm on CLI in BZ description are wrong. Those are not needed to fetch Docker content as implemented on 20161115 iso.
Please, ignore the previous comment. Points 3 and 4 are not needed if INSECURE_REGISTRY='--insecure-registry cds.example.com:5000' is added into /etc/sysconfig/docker. Verified with 2016115 iso: >> rpm -ql my_rpm /etc/docker/certs.d/cds.example.com:5000/ca.crt /etc/pki/rhui/ca.crt /etc/pki/rhui/key.pem /etc/pki/rhui/product/content.crt /etc/yum.repos.d/rh-cloud.repo >> docker pull rhcertification_redhat-certification Using default tag: latest Trying to pull repository cds.example.com:5000/rhcertification_redhat-certification ... latest: Pulling from cds.example.com:5000/rhcertification_redhat-certification 30cf2e26a24f: Pull complete 99dd41655d8a: Pull complete 27dc5eaef277: Pull complete Digest: sha256:83d4e7a94b123449557323292c688141b858f479cf351c7d630c7018a0dd9dad Status: Downloaded newer image for cds.example.com:5000/rhcertification_redhat-certification:latest
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0367