想要搭建一个Docker Registry放一些私有Images，折腾出一个docker-compose.yml

version: '3.7'
services:
  registry:
    restart: always
    image: registry:2
    ports:
      - 5000:5000
    environment:
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
      REGISTRY_AUTH: htpasswd
      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
    volumes:
      - /path/for/registory/images:/var/lib/registry
      - /path/for/certs:/certs
      - /path/for/auth:/auth

1. 创建自签证书
   必做步骤：添加subjectAltName 到openssl.cnf, 否则后面docker login会失败

sudo vim /etc/ssl/openssl.cnf

要添加在[ v3_ca ]下

[ v3_ca ]
subjectAltName=IP:X.X.X.X

创建证书， 给默认值就好

mkdir -p certs
openssl req  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key  -x509 -days 365 -out certs/domain.crt

一路回车

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

2. 在Docker Registry Server和Docker Client添加自建证书

sudo mkdir -p /etc/docker/certs.d/X.X.X.X:5000
sudo cp certs/domain.crt /etc/docker/certs.d/X.X.X.X:5000/ca.crt
sudo cp certs/domain.crt /usr/local/share/ca-certificates/ca.crt
sudo update-ca-certificates

3. 添加用户验证

mkdir auth
docker run -it --entrypoint htpasswd -v $PWD/auth:/auth -w /auth registry:2 -Bbc /auth/htpasswd username password

4. 创建Docker Registory

sudo systemctl restart docker #先重启下docker daemon
docker-compose up --build --no-start
docker-compose start

5. 验证一下

docker login -u username X.X.X.X:5000
docker push X.X.X.X:5000/image:tag
docker pull X.X.X.X:5000/image:tag
docker logout

如果遇到下面这种error，基本上是因为第一步没有设置subjectAltName引起的

Error response from daemon: Get https://X.X.X.X:5000/v2/: x509: cannot validate certificate for X.X.X.X because it doesn't contain any IP SANs