Docker Registry with Self-Signed Certificate

$ mkdir certs
$ openssl req \
    -newkey rsa:4096
    -nodes \
    -sha256 \
    -keyout certs/domain.key \
    -x509 \
    -days 365 \
    -out certs/domain.crt

$ docker secret create domain.crt certs/domain.crt
$ docker secret create domain.key certs/domain.key
$ docker secret ls
ID                          NAME                DRIVER              CREATED             UPDATED
108vdrp0wpa7sl2b99gvqp2gd   domain.crt                              4 days ago          4 days ago
rjx8c7h8j0k2yb19dxae25nji   domain.key                              4 days ago          4 days ago

$ docker service create --name registry \
    --secret domain.crt \
    --secret domain.key \
    --constraint 'node.labels.registry==true' \
    --mount type=bind,src=/mnt/registry,dst=/var/lib/registry \
    -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/domain.crt \
    -e REGISTRY_HTTP_TLS_KEY=/run/secrets/domain.key \
    --publish published=443,target=443 \
    --replicas 1 registry:2

On all Docker daemon, do the following:

sudo mv domain.crt /etc/docker/certs.d/registry.bampi.net/ca.crt
sudo chown root.root /etc/docker/certs.d/registry.bampi.net/ca.crt
sudo systemctl restart docker.service

If you have pure Docker client environment, please also trust the certificate at the OS level. Following will use CentOS 6.9 as example:

sudo cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
sudo update-ca-trust

References

• Test an insecure registry
• Deploy a registry server
• Manage sensitive data with Docker secrets
• How to setup a private docker registry with a self sign certificate