Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1641134

Summary: [DOCS] docker registry only http not https / pulling image error : Get https://docker-registry.default.svc:5000/v2/: http: server gave HTTP response to HTTPS client
Product: OpenShift Container Platform Reporter: Omer SEN <omer.sen>
Component: DocumentationAssignee: Kathryn Alexander <kalexand>
Status: CLOSED CURRENTRELEASE QA Contact: Gaoyun Pei <gpei>
Severity: unspecified Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, gpei, jokerman, mmccomas, omer.sen, tcameron
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-05 16:50:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
docker-registry-1.log none

Description Omer SEN 2018-10-19 17:32:58 UTC 
Description of problem:

After installing openshift with

inventory file:

[masters]
master.os.serra.local
[etcd]
master.os.serra.local
[nodes]
master.os.serra.local openshift_node_group_name='node-config-master-infra'
node1.os.serra.local openshift_node_group_name='node-config-compute'
[OSEv3:children]
masters
nodes
etcd
[OSEv3:vars]
ansible_user=root
openshift_deployment_type=openshift-enterprise
openshift_master_default_subdomain=apps.os.serra.local
debug_level=2
oreg_auth_user='1106XXX|yyyy'
oreg_auth_password='HIDDEN'
openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
openshift_master_htpasswd_users={'admin': '$apr1$cYONvW3m$ZUxdFzcyjMk01UDHyyUDk/', 'admin2': '$apr1$cYONvW3m$ZUxdFzcyjMk01UDHyyUDk/', 'admin3': '$apr1$cYONvW3m$ZUxdFzcyjMk01UDHyyUDk/'}
openshift_check_min_host_memory_gb=4


successfully I tried to create a sample project (ruby-ex) but on build of project I get:


Cloning "https://github.com/adminikaruslab/Spoon-Knife " ...
	Commit:	d0dd1f61b33d64e29d8bc1372a94ef6a2fee76a9 (Pointing to the guide for forking)
	Author:	The Octocat <octocat>
	Date:	Wed Feb 12 15:20:44 2014 -0800
pulling image error : Get https://docker-registry.default.svc:5000/v2/:  http: server gave HTTP response to HTTPS client
error: build error: unable to get docker-registry.default.svc:5000/openshift/ruby@sha256:b1d4224b1c57d4523eb35ccf3f365ef53b77ef45ba8fac62dc51a4a6de521ae6

Version-Release number of selected component (if applicable):

openshift-ansible-roles-3.11.16-1.git.0.4ac6f81.el7.noarch
atomic-openshift-excluder-3.11.16-1.git.0.b48b8f8.el7.noarch
atomic-openshift-node-3.11.16-1.git.0.b48b8f8.el7.x86_64
openshift-ansible-docs-3.11.16-1.git.0.4ac6f81.el7.noarch
atomic-openshift-clients-3.11.16-1.git.0.b48b8f8.el7.x86_64
openshift-ansible-3.11.16-1.git.0.4ac6f81.el7.noarch
atomic-openshift-docker-excluder-3.11.16-1.git.0.b48b8f8.el7.noarch
atomic-openshift-3.11.16-1.git.0.b48b8f8.el7.x86_64
openshift-ansible-playbooks-3.11.16-1.git.0.4ac6f81.el7.noarch
atomic-openshift-hyperkube-3.11.16-1.git.0.b48b8f8.el7.x86_64

ansible-2.6.5-1.el7ae.noarch



How reproducible:

Install using https://docs.openshift.com/container-platform/3.11/getting_started/install_openshift.html and https://docs.openshift.com/container-platform/3.11/getting_started/configure_openshift.html


I have tried to login to docker registery 

nc  docker-registry.default.svc 5000

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request

AND

openssl s_client -connect   docker-registry.default.svc:5000           
CONNECTED(00000003)
139976918443920:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1539970064
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

As you can see registry not using HTTPS but HTTP connections only (plain text)


#  oc get pods -n default                                            
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-6hgk2    1/1       Running   0          2m
registry-console-1-bqt99   1/1       Running   1          1d
router-1-qzkps             1/1       Running   0          21h

# oc logs -f registry-console-1-bqt99          
INFO: cockpit-ws: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert

ls -la /etc/cockpit/ws-certs.d/0-self-signed.cert
-rw-------. 1 1000000000 root 2959 Oct 18 09:25 /etc/cockpit/ws-certs.d/0-self-signed.cert
sh-4.2$ ps axww
  PID TTY      STAT   TIME COMMAND
    1 ?        Ssl    0:11 /usr/libexec/cockpit-ws
   47 ?        Ss     0:00 /bin/sh
   52 ?        R+     0:00 ps axww
sh-4.2$ ps axwwu
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
1000000+     1  0.0  0.0 260040  4220 ?        Ssl  Oct18   0:11 /usr/libexec/cockpit-ws
1000000+    47  0.0  0.0  11816  1808 ?        Ss   17:29   0:00 /bin/sh
1000000+    53  0.0  0.0  51708  1716 ?        R+   17:30   0:00 ps axwwu

sh-4.2$ cat /etc/cockpit/ws-certs.d/0-self-signed.cert
-----BEGIN CERTIFICATE-----
MIIDcTCCAlmgAwIBAgIJAL44CKVFQ7ufMA0GCSqGSIb3DQEBCwUAME4xKTAnBgNV
BAoMIDgzNzNjYWQ4ZTU5NDQzNmJhYjhkODcxMGJlMWYyZDg5MSEwHwYDVQQDDBhy
ZWdpc3RyeS1jb25zb2xlLTEtYnF0OTkwIBcNMTgxMDE4MDkyNTE3WhgPMjExODA5
MjQwOTI1MTdaME4xKTAnBgNVBAoMIDgzNzNjYWQ4ZTU5NDQzNmJhYjhkODcxMGJl
MWYyZDg5MSEwHwYDVQQDDBhyZWdpc3RyeS1jb25zb2xlLTEtYnF0OTkwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCicaPiiE+7xQRf29fvfBGvNu6WVfUL
pB98Rj0joSgLIDtUK/JfNBOtaJqvP4yN8/LJBDn/TIr0HoY3ab/Osu1+noO9nm3d
RIhvPMXkEUyeBiJ832a25HagDCNjC+Sj050r5mzu2CIS+Lc0BvCuIoBHC/V2KMFR
TaWRJAklA9y6U2B+VTgrNwIGqpIBZQsW5jYXLwjCMm1uW5ULf9cbzN0mys38vhyw
kfONMN1Wtq9lLhRCckrGtaljivvu1YYvazAs+Q8kZ7RQSGZVZDFYtOcODecs3FWc
gETxcl1YeGXhkvhkoT/hOtFoVH64CutDPSybcp6fofiyjM/bpJ60y4t7AgMBAAGj
UDBOMB0GA1UdDgQWBBTKLE+pcmilnBOE7gkEF7Th+E7QuDAfBgNVHSMEGDAWgBTK
LE+pcmilnBOE7gkEF7Th+E7QuDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4IBAQBuHFzrPOt4aSig4aIUsnD37VVbJtII/AOadjrkxmjXmZ5alyz1GlovHwQ/
RR+VjXdAAuSv/7ZcxBjbiK7L77RdNhcsM9uX5rL4WdAsvZmi7VoRkIc71c610n8J
7G+llr/GBhTd/Yfou2XoO/Xn9Z1lckYp93mMieKkju8aLhgUZT5UPgSQ04oJz9Bu
+x0lWZ2obcHuu9eTjT4O+0lT4cKV3fvBCXqffwMFg8kCDNXqDxDkbwwlWGfYQAMv
yBwJty3//DWQeD3gDxqZ4xuKuILphojFGJo49x9TN9uSMq6oS0oR4SWA+RmKutrq
MByQy0zSOEU/c+CySegd3yezI1p4
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCicaPiiE+7xQRf
29fvfBGvNu6WVfULpB98Rj0joSgLIDtUK/JfNBOtaJqvP4yN8/LJBDn/TIr0HoY3
ab/Osu1+noO9nm3dRIhvPMXkEUyeBiJ832a25HagDCNjC+Sj050r5mzu2CIS+Lc0
BvCuIoBHC/V2KMFRTaWRJAklA9y6U2B+VTgrNwIGqpIBZQsW5jYXLwjCMm1uW5UL
f9cbzN0mys38vhywkfONMN1Wtq9lLhRCckrGtaljivvu1YYvazAs+Q8kZ7RQSGZV
ZDFYtOcODecs3FWcgETxcl1YeGXhkvhkoT/hOtFoVH64CutDPSybcp6fofiyjM/b
... TRIMMED!!
pJ60y4t7AgMBAAECggEBAIhz4xFoJWn6HimTlzjRRF2lTBc2j0e/Dr+qlLL4LZXi
9lNHMyorqZfRtZYeUKfxUnDuvvUoS9SyS1YC2576iCsDZnCCw5DJf73JFAX3Th+z
0YaJdlONZ+QbLiKGHAJNwMnenoSnQ0Aicmoepk/wJUcI0aD2rSTpj3lzBsd0Dhbo
md1BFSQduzJPo3Ehb7LLP8H6SEDGHK8LNE6oKl7fhNDew2UFQY58AzLM6RlHf1o4
vAvzpkQXNo0IqFn4HUjJQ4O15nI3uTsbgYqNtAtrZJXpjkOgS/McGKsPkMXAMTW3
yQ5qkCP6bhRVLr94nRnUrO7Zy1AkDpxFhiIfzLiw6SSaaN2s0TvJkfpKP6v0NReI
z68V8ITrJrs/+qgoQDTfzoll
-----END PRIVATE KEY-----





Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ben Parees 2018-10-19 17:50:51 UTC 
Sounds like an installer issue (though i doubt it's a bug given that setting up the registry w/ security is the default flow), but in the meantime you can manually secure your registry:

https://docs.okd.io/latest/install_config/registry/securing_and_exposing_registry.html#securing-the-registry
Comment 2 Omer SEN 2018-10-19 17:58:00 UTC 
It is installer issue yes you are right. Even if docker regstry is HTTP only on GUI requests are made HTTPS(TLS/SSL)
Comment 3 Omer SEN 2018-10-19 18:05:31 UTC 
By the way steps defined at https://docs.okd.io/latest/install_config/registry/securing_and_exposing_registry.html#securing-the-registry

solved the issue. So it is an installation issue with predeployment.yml and deploy_cluster.yaml file
Comment 4 Scott Dodson 2018-10-19 18:25:05 UTC 
Right, The registry should've been secured from the start.

Do you by chance have the pod logs from the registry when it was serving up HTTP? When you went through the process to secure the registry were the secrets and such that you're creating not present?

Logs from the initial installation process would also be helpful as it will indicate whether or not the registry securing steps were skipped.
Comment 5 Omer SEN 2018-10-20 19:24:18 UTC 
[root@master ~]# oc get pods
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-deploy   1/1       Running   0          25s
docker-registry-1-lxxgq    0/1       Running   0          18s
registry-console-1-bqt99   1/1       Running   1          2d
router-1-sp7ng             1/1       Running   0          30s
[root@master ~]# oc get pods
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-lxxgq    1/1       Running   0          26s
registry-console-1-bqt99   1/1       Running   1          2d
router-1-sp7ng             1/1       Running   0          38s
[root@master ~]# oc logs docker-registry-1-lxxgq 
time="2018-10-20T19:23:09Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_CONSOLE_PORT" 
time="2018-10-20T19:23:09Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_CONSOLE_PORT_9000_TCP" 
time="2018-10-20T19:23:09Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_CONSOLE_PORT_9000_TCP_ADDR" 
time="2018-10-20T19:23:09Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_CONSOLE_PORT_9000_TCP_PORT" 
time="2018-10-20T19:23:09Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_CONSOLE_PORT_9000_TCP_PROTO" 
time="2018-10-20T19:23:09Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_CONSOLE_SERVICE_HOST" 
time="2018-10-20T19:23:09Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_CONSOLE_SERVICE_PORT" 
time="2018-10-20T19:23:09Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_CONSOLE_SERVICE_PORT_REGISTRY_CONSOLE" 
time="2018-10-20T19:23:09.689689042Z" level=info msg="start registry" distribution_version=v2.6.2+unknown go.version=go1.9.4 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea openshift_version=v3.11.16 
time="2018-10-20T19:23:09.69008905Z" level=info msg="quota enforcement disabled" go.version=go1.9.4 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:09.691258199Z" level=info msg="redis not configured" go.version=go1.9.4 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:09.69128997Z" level=info msg="Starting upload purge in 14m0s" go.version=go1.9.4 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:09.707273301Z" level=info msg="using openshift blob descriptor cache" go.version=go1.9.4 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:09.708131596Z" level=info msg="Using \"172.30.186.185:5000\" as Docker Registry URL" go.version=go1.9.4 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:09.708158244Z" level=info msg="listening on :5000" go.version=go1.9.4 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:16.292801131Z" level=info msg=response go.version=go1.9.4 http.request.host="10.129.0.4:5000" http.request.id=8d054b21-7a84-4948-8cbe-ea0376576e1b http.request.method=GET http.request.remoteaddr="10.129.0.1:34326" http.request.uri=/healthz http.request.useragent=kube-probe/1.11+ http.response.duration="68.358µs" http.response.status=200 http.response.written=0 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:21.448776128Z" level=info msg=response go.version=go1.9.4 http.request.host="10.129.0.4:5000" http.request.id=4014dc06-d562-40ea-953d-762d58e360ba http.request.method=GET http.request.remoteaddr="10.129.0.1:34352" http.request.uri=/healthz http.request.useragent=kube-probe/1.11+ http.response.duration="43.189µs" http.response.status=200 http.response.written=0 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:26.292163112Z" level=info msg=response go.version=go1.9.4 http.request.host="10.129.0.4:5000" http.request.id=12df32f2-ee3f-42f3-830e-f711ac49fcb1 http.request.method=GET http.request.remoteaddr="10.129.0.1:34372" http.request.uri=/healthz http.request.useragent=kube-probe/1.11+ http.response.duration="41.55µs" http.response.status=200 http.response.written=0 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
time="2018-10-20T19:23:31.44887342Z" level=info msg=response go.version=go1.9.4 http.request.host="10.129.0.4:5000" http.request.id=f52df27e-97bf-4627-865f-f1760f25cdab http.request.method=GET http.request.remoteaddr="10.129.0.1:34392" http.request.uri=/healthz http.request.useragent=kube-probe/1.11+ http.response.duration="53.534µs" http.response.status=200 http.response.written=0 instance.id=2d4bb821-5437-4142-94b6-72b0711fdfea 
[root@master ~]# 
[root@master ~]# 
[root@master ~]# oc logs docker-registry-1-lxxgq
Comment 6 Omer SEN 2018-10-20 19:29:25 UTC 
Created attachment 1495992 [details]
docker-registry-1.log
Comment 7 Omer SEN 2018-10-20 19:40:59 UTC 
Also for docker-registry it seems that there is no self signed certificate:



oc rsh docker-registry-1-lxxgq
sh-4.2$ ls /etc/cockpit
ls: cannot access /etc/cockpit: No such file or directory

From what i see since this is not created after install but we do create it using:

From: https://docs.openshift.com/container-platform/3.11/getting_started/configure_openshift.html#deploy-internal-registry


    Delete the default registry using the following command.

    $ oc delete all -l docker-registry=default

    Create the docker-registry service in the default project using the registry service account.

    $ oc adm registry

I think it has something to do with "oc adm registry" dont create HTTPS by default but HTTP
Comment 8 Omer SEN 2018-10-20 19:55:39 UTC 
I think i have found the error. Actually  deploy_cluster.yml works fine. It is the documentation. In documentation it says:

https://docs.openshift.com/container-platform/3.11/getting_started/configure_openshift.html#deploy-internal-registry


========================================================

Deploy an Internal Registry

Openshift provides an internal, integrated container image registry that can be deployed to locally manage images. OpenShift uses the docker-registry to store, retrieve, and build container images, as well as deploy and manage them throughout their lifecycle.

The installer creates a default registry.

    Delete the default registry using the following command.

    $ oc delete all -l docker-registry=default

    Create the docker-registry service in the default project using the registry service account.

    $ oc adm registry

===================================


So when we use only "oc adm registry" it created a docker-registry HTTP only. 

I think it is not an installer error but a documentation error. When I read it I simply delete default one created by installer (which contains HTTPS) and created a HTTP only docker-registry. 

After installation without deleting default registry. I can connect to HTTPS based docker-registry:

 openssl s_client -connect   docker-registry.default.svc:5000 
CONNECTED(00000003)
depth=1 CN = openshift-signer@1539853534
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=172.30.9.251
   i:/CN=openshift-signer@1539853534
 1 s:/CN=openshift-signer@1539853534
   i:/CN=openshift-signer@1539853534
 2 s:/CN=openshift-signer@1539853534
   i:/CN=openshift-signer@1539853534
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIBCjANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu
c2hpZnQtc2lnbmVyQDE1Mzk4NTM1MzQwHhcNMTgxMDE4MDkxMzUwWhcNMjAxMDE3
MDkxMzUxWjAXMRUwEwYDVQQDEwwxNzIuMzAuOS4yNTEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCfH7v6vAY+2lRY99eDp+okOhwH1QM2+jpEKNGmJLZ0
VYdneoAle55yB1pTGDrRqJdeQ9URWwLZKXgMiLiVN3K2EBTW1NRshN5a4TJaS6+r
+IURGrx44Kmih9Ct4B0ced1rq9zcWgkC6CSLDTSv60FqBhG4L4d7Yvo1X23HB1KM
B6owD1cTYLCCxMzQCUL416Zpj9E4C/T+YG/x3BiDjJYB6DTys0f6lHPSFD+jwBza
nWx+nj/FxVjYNxGXNv8yZav/Ss3mPW40m5RcJDIuFhc+Ayrc8vHgLZej345oF0bu
0JhPLlrO/3dLwkTJWGb8hztdQK1kBYxMISa/OzlktzqfAgMBAAGjgc0wgcowDgYD
VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAw
gZQGA1UdEQSBjDCBiYIrZG9ja2VyLXJlZ2lzdHJ5LWRlZmF1bHQuYXBwcy5vcy5z
ZXJyYS5sb2NhbIIbZG9ja2VyLXJlZ2lzdHJ5LmRlZmF1bHQuc3Zjgilkb2NrZXIt
cmVnaXN0cnkuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIIMMTcyLjMwLjkuMjUx
hwSsHgn7MA0GCSqGSIb3DQEBCwUAA4IBAQB32yTFFtaou4fhe6Meg7AMjBbfXk60
FOqpqE134JgQHeSbUtsxsRNn0UtcB//ArJkk+Cqi89tZ4hfEg0QFzR6mpZCvZfwI
ChD8LSj7zqw+5qP5d1S3fqM+CLw6D0hGztK6psw5BcWlgd1mvzsnq2w2n5j2h+dO
P6ZxV+rqk6HPPi2HNgKptzkkvlnzabpohYxjKr3MhQ+7Znp9mW1cZNtyEyG5McF4
QwPHhPGQsLa2JuFMuutw0NLihlSKQtSSkVvAOh15NvU9xiV0JErKw+x9WGGp6qWv
0ieKsdyGSMhGw1FsF90Xl8MGiWmUg9eQyqEj0QnIUlUMnRSfp0gn/1MB
-----END CERTIFICATE-----
subject=/CN=172.30.9.251
issuer=/CN=openshift-signer@1539853534
---
No client certificate CA names sent
Peer signing digest: SHA384
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3018 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 1860ADF87A7FEDC4FC8107909B0A6365C09E4AA8C080D6A4DCE5EF2318CFF76C
    Session-ID-ctx: 
    Master-Key: 3F67DF19AC4D2C42F8364BE9C585902DE9743CCDF804FF5777A2786CEE2615C44F2D62A6AEE7DC99EAD2060D10284BA8
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 83 a5 49 bf 94 b7 58 c8-63 33 b8 95 a4 05 fa 67   ..I...X.c3.....g
    0010 - a8 41 cf 2a fc 70 75 7a-15 6a 6c ae e3 0e df b8   .A.*.puz.jl.....
    0020 - 35 c1 67 a8 8a e7 d0 fa-17 fe 35 7d 2e dd 8d ad   5.g.......5}....
    0030 - 4f fb e9 34 de 7c 02 e3-35 16 0f 88 d2 4a 8d 3e   O..4.|..5....J.>
    0040 - 6a 35 7f 86 64 57 d1 ad-32 d0 90 49 d2 b4 82 2a   j5..dW..2..I...*
    0050 - 57 40 7f 4c c9 1c ee 49-b3 39 8f 3f a2 56 4d 77   W@.L...I.9.?.VMw
    0060 - 16 28 b9 ba 11 c4 9d ae-cb 1c 60 f1 2b db 47 d9   .(........`.+.G.
    0070 - 3b 60 55 7c 6b ed a1 c2-                          ;`U|k...

    Start Time: 1540065276
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
Comment 9 Scott Dodson 2018-10-22 12:24:55 UTC 
Omer,

Thanks for the followup. I'll move this to the documentation component.

Docs team,

comment #8 hilights that the documentation tells you to install a registry manually which lead the admin to uninstall the existing registry and then re-install it without securing it. We should clarify that when deploying via the installer the registry is deployed automatically and there's no need to take manual action.
Comment 10 Kathryn Alexander 2018-10-31 18:47:20 UTC 
PR's here: https://github.com/openshift/openshift-docs/pull/12727
Comment 11 Gaoyun Pei 2018-11-01 13:20:58 UTC 
LGTM according to Comment 9. We don't need the section about deleting default registry and then re-install it without securing it now.
Comment 12 openshift-github-bot 2018-11-01 13:25:00 UTC 
Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/ea0836c20796f37ffcf03caa2c0d7a702cde82bb
bug 1641134 removing registry instructions

https://github.com/openshift/openshift-docs/commit/e8ec1ba0ba3028b62a558b1571dec4ac533faa97
Merge pull request #12727 from kalexand-rh/BZ1641134

bug 1641134 removing registry instructions
Comment 13 Kathryn Alexander 2018-11-01 13:26:05 UTC 
Thank you, Gaoyun! I'm merging back to 3.6 and waiting for the change to go live.
Comment 14 Kathryn Alexander 2018-11-05 16:50:19 UTC 
This change is live on docs.openshift, eg: https://docs.openshift.com/container-platform/3.10/getting_started/configure_openshift.html

And on the portal, eg: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html-single/getting_started/
Comment 15 Michael Burke 2022-01-07 21:00:21 UTC 
*** Bug 1641794 has been marked as a duplicate of this bug. ***