Docker Notary Server is necessary for applying proper Docker DCT. But the support for applying your own TLS/SSL Certificate is.. shall we say.. ancient. Sure, you can supply your own certificate, docker-compose build, docker-compose up -d aaaaand.. Docker Notary Server is running with the supplied certificate, generated with LetsEncrypt, valid for.. three months..
Here’s how to use NGinX as a reverse proxy, with LetsEncrypt certificate for Docker Notary Server Upstream.
First, Install Docker Notary Server as you normally would
~$ git clone https://github.com/docker/notary.git
...
~$ docker-compose build
~$ docker-compose up -d
Second, Apply the following NGinX configuration on the front-end reverse proxy:
server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name dockerreg.tld;
error_log /var/log/nginx/dockrreg-tld-notary-error.log;
access_log /var/log/nginx/dockrreg-tld-notary-access.log;
ssl_certificate /etc/letsencrypt/live/dockerreg.tld/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dockerreg.tld/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass https://localhost:4443/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_read_timeout 900;
}
}
Third, Set the Docker DCT environment variables as you normally would. Notice the port 4444
export DOCKER_CONTENT_TRUST_SERVER=https://dockerreg.tld:4444
export DOCKER_CONTENT_TRUST=1
Trust in the container ?