Configuring local registry with self-signed certificate

You need to edit your /etc/ssl/openssl.cnf to have the FQDN (openmpi-dockerregistry.local) and the IP address in the IP SANs list. Add as follows:

[ v3_ca ]


# Extensions for a typical CA
subjectAltName = @alt_names
[ alt_names ]

IP.1 = <IP>
DNS.1 = openmpi-dockerregistry.local

Now generate the cert using the following command:

openssl req -config /etc/ssl/openssl.cnf \                                 
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt \
  -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=openmpi-dockerregistry.local"

Check whether the cert has the IP and the DNS in the IP SANs list with this command:

openssl x509 -in domain.crt -text -noout

You should see something like this in the output if all went right:

X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:<IP>, DNS:openmpi-dockerregistry.local

Now copy this cert in the client docker certs directory in the following location:

/etc/docker/certs.d/openmpi-dockerregistry.local/ca.crt

You should be good now.

I think the problem is that you didn't copy the certificate and key in the /etc/docker/certs.d/ folder.

The folder should look like this:

/etc/docker/certs.d/
└── openmpi-dockerregistry.local:443
   ├── client.cert
   ├── client.key
   └── ca.crt

In my case I had no ca.crt and it worked fine.

Reference: https://docs.docker.com/engine/security/certificates/

---

I implemented your setup on my machine, everything worked fine after I copied domain.key and domain.crt (and renamed them) in the /etc/docker/certs.d folder. The only difference was that I used openmpi-dockerregistry as a domain instead of openmpi-dockerregistry.local