Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 4. Using SSL to protect connections to Red Hat Quay

4.1. Using SSL/TLS
Link kopieren

To configure Red Hat Quay with a self-signed certificate, you must create a Certificate Authority (CA) and a primary key file named ssl.cert and ssl.key.

Note

The following examples assume that you have configured the server hostname quay-server.example.com using DNS or another naming mechanism, such as adding an entry in your /etc/hosts file. For more information, see "Configuring port mapping for Red Hat Quay".

4.2. Creating a Certificate Authority
Link kopieren

Use the following procedure to create a Certificate Authority (CA).

Procedure

  1. Generate the root CA key by entering the following command: 

    $ openssl genrsa -out rootCA.key 2048
    Copy to Clipboard Toggle word wrap

  2. Generate the root CA certificate by entering the following command: 

    $ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
    Copy to Clipboard Toggle word wrap

  3. Enter the information that will be incorporated into your certificate request, including the server hostname, for example: 

    Country Name (2 letter code) [XX]:IE
State or Province Name (full name) []:GALWAY
Locality Name (eg, city) [Default City]:GALWAY
Organization Name (eg, company) [Default Company Ltd]:QUAY
Organizational Unit Name (eg, section) []:DOCS
Common Name (eg, your name or your server's hostname) []:quay-server.example.com
    Copy to Clipboard Toggle word wrap

4.2.1. Signing the certificate
Link kopieren

Use the following procedure to sign the certificate.

Procedure

  1. Generate the server key by entering the following command: 

    $ openssl genrsa -out ssl.key 2048
    Copy to Clipboard Toggle word wrap

  2. Generate a signing request by entering the following command: 

    $ openssl req -new -key ssl.key -out ssl.csr
    Copy to Clipboard Toggle word wrap

  3. Enter the information that will be incorporated into your certificate request, including the server hostname, for example: 

    Country Name (2 letter code) [XX]:IE
State or Province Name (full name) []:GALWAY
Locality Name (eg, city) [Default City]:GALWAY
Organization Name (eg, company) [Default Company Ltd]:QUAY
Organizational Unit Name (eg, section) []:DOCS
Common Name (eg, your name or your server's hostname) []:quay-server.example.com
    Copy to Clipboard Toggle word wrap

  4. Create a configuration file openssl.cnf, specifying the server hostname, for example:

    openssl.cnf

    [req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = quay-server.example.com
IP.1 = 192.168.1.112
    Copy to Clipboard Toggle word wrap

  5. Use the configuration file to generate the certificate ssl.cert: 

    $ openssl x509 -req -in ssl.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ssl.cert -days 356 -extensions v3_req -extfile openssl.cnf
    Copy to Clipboard Toggle word wrap

4.3. Configuring SSL/TLS using the command line interface
Link kopieren

Use the following procedure to configure SSL/TLS using the CLI.

Prerequisites

  • You have created a certificate authority and signed the certificate.

Procedure

  1. Copy the certificate file and primary key file to your configuration directory, ensuring they are named ssl.cert and ssl.key respectively: 

    cp ~/ssl.cert ~/ssl.key $QUAY/config
    Copy to Clipboard Toggle word wrap

  2. Change into the $QUAY/config directory by entering the following command: 

    $ cd $QUAY/config
    Copy to Clipboard Toggle word wrap

  3. Edit the config.yaml file and specify that you want Red Hat Quay to handle TLS/SSL:

    config.yaml

    ...
SERVER_HOSTNAME: quay-server.example.com
...
PREFERRED_URL_SCHEME: https
...
    Copy to Clipboard Toggle word wrap

  4. Optional: Append the contents of the rootCA.pem file to the end of the ssl.cert file by entering the following command: 

    $ cat rootCA.pem >> ssl.cert
    Copy to Clipboard Toggle word wrap

  5. Stop the Quay container by entering the following command: 

    $ sudo podman stop quay
    Copy to Clipboard Toggle word wrap

  6. Restart the registry by entering the following command: 

    $ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
  --name=quay \
  -v $QUAY/config:/conf/stack:Z \
  -v $QUAY/storage:/datastorage:Z \
  registry.redhat.io/quay/quay-rhel8:v3.10.9
    Copy to Clipboard Toggle word wrap

4.4. Configuring SSL/TLS using the Red Hat Quay UI
Link kopieren

Use the following procedure to configure SSL/TLS using the Red Hat Quay UI.

To configure SSL/TLS using the command line interface, see "Configuring SSL/TLS using the command line interface".

Prerequisites

  • You have created a certificate authority and signed a certificate.

Procedure

  1. Start the Quay container in configuration mode: 

    $ sudo podman run --rm -it --name quay_config -p 80:8080 -p 443:8443 registry.redhat.io/quay/quay-rhel8:v3.10.9 config secret
    Copy to Clipboard Toggle word wrap
  2. In the Server Configuration section, select Red Hat Quay handles TLS for SSL/TLS. Upload the certificate file and private key file created earlier, ensuring that the Server Hostname matches the value used when the certificates were created.
  3. Validate and download the updated configuration.

  4. Stop the Quay container and then restart the registry by entering the following command: 

    $ sudo podman rm -f quay
$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
--name=quay \
-v $QUAY/config:/conf/stack:Z \
-v $QUAY/storage:/datastorage:Z \
registry.redhat.io/quay/quay-rhel8:v3.10.9
    Copy to Clipboard Toggle word wrap

4.5. Testing the SSL/TLS configuration using the CLI
Link kopieren

Use the following procedure to test your SSL/TLS configuration using the CLI.

Procedure

  • Enter the following command to attempt to log in to the Red Hat Quay registry with SSL/TLS enabled: 

    $ sudo podman login quay-server.example.com
    Copy to Clipboard Toggle word wrap

    Example output 

    Error: error authenticating creds for "quay-server.example.com": error pinging docker registry quay-server.example.com: Get "https://quay-server.example.com/v2/": x509: certificate signed by unknown authority
    Copy to Clipboard Toggle word wrap

    1. Because Podman does not trust self-signed certificates, you must use the --tls-verify=false option: 

      $ sudo podman login --tls-verify=false quay-server.example.com
      Copy to Clipboard Toggle word wrap

      Example output

      Login Succeeded!
      Copy to Clipboard Toggle word wrap

      In a subsequent section, you will configure Podman to trust the root Certificate Authority.

4.6. Testing the SSL/TLS configuration using a browser
Link kopieren

Use the following procedure to test your SSL/TLS configuration using a browser.

Procedure

  1. Navigate to your Red Hat Quay registry endpoint, for example, https://quay-server.example.com. If configured correctly, the browser warns of the potential risk:

    Potential risk

  2. Proceed to the log in screen. The browser notifies you that the connection is not secure. For example:

    Connection not secure

    In the following section, you will configure Podman to trust the root Certificate Authority.

4.7. Configuring Podman to trust the Certificate Authority
Link kopieren

Podman uses two paths to locate the Certificate Authority (CA) file: /etc/containers/certs.d/ and /etc/docker/certs.d/. Use the following procedure to configure Podman to trust the CA.

Procedure

  1. Copy the root CA file to one of /etc/containers/certs.d/ or /etc/docker/certs.d/. Use the exact path determined by the server hostname, and name the file ca.crt: 

    $ sudo cp rootCA.pem /etc/containers/certs.d/quay-server.example.com/ca.crt
    Copy to Clipboard Toggle word wrap

  2. Verify that you no longer need to use the --tls-verify=false option when logging in to your Red Hat Quay registry: 

    $ sudo podman login quay-server.example.com
    Copy to Clipboard Toggle word wrap

    Example output

    Login Succeeded!
    Copy to Clipboard Toggle word wrap

4.8. Configuring the system to trust the certificate authority
Link kopieren

Use the following procedure to configure your system to trust the certificate authority.

Procedure

  1. Enter the following command to copy the rootCA.pem file to the consolidated system-wide trust store: 

    $ sudo cp rootCA.pem /etc/pki/ca-trust/source/anchors/
    Copy to Clipboard Toggle word wrap

  2. Enter the following command to update the system-wide trust store configuration: 

    $ sudo update-ca-trust extract
    Copy to Clipboard Toggle word wrap

  3. Optional. You can use the trust list command to ensure that the Quay server has been configured: 

    $ trust list | grep quay
    label: quay-server.example.com
    Copy to Clipboard Toggle word wrap

    Now, when you browse to the registry at https://quay-server.example.com, the lock icon shows that the connection is secure:

    Connection not secure

  4. To remove the rootCA.pem file from system-wide trust, delete the file and update the configuration: 

    $ sudo rm /etc/pki/ca-trust/source/anchors/rootCA.pem
    Copy to Clipboard Toggle word wrap 
    $ sudo update-ca-trust extract
    Copy to Clipboard Toggle word wrap 
    $ trust list | grep quay
    Copy to Clipboard Toggle word wrap

More information can be found in the RHEL 9 documentation in the chapter Using shared system certificates.

Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat