Chapter 4. Using SSL to protect connections to Red Hat Quay

Procedure

1. Generate the root CA key by entering the following command:

   $ openssl genrsa -out rootCA.key 2048

   Copy to Clipboard Toggle word wrap

2. Generate the root CA certificate by entering the following command:

   $ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

   Copy to Clipboard Toggle word wrap

3. Enter the information that will be incorporated into your certificate request, including the server hostname, for example:

   Country Name (2 letter code) [XX]:IE
   State or Province Name (full name) []:GALWAY
   Locality Name (eg, city) [Default City]:GALWAY
   Organization Name (eg, company) [Default Company Ltd]:QUAY
   Organizational Unit Name (eg, section) []:DOCS
   Common Name (eg, your name or your server's hostname) []:quay-server.example.com

   Copy to Clipboard Toggle word wrap

4. Generate the server key by entering the following command:

   $ openssl genrsa -out ssl.key 2048

   Copy to Clipboard Toggle word wrap

5. Generate a signing request by entering the following command:

   $ openssl req -new -key ssl.key -out ssl.csr

   Copy to Clipboard Toggle word wrap

6. Enter the information that will be incorporated into your certificate request, including the server hostname, for example:

   Country Name (2 letter code) [XX]:IE
   State or Province Name (full name) []:GALWAY
   Locality Name (eg, city) [Default City]:GALWAY
   Organization Name (eg, company) [Default Company Ltd]:QUAY
   Organizational Unit Name (eg, section) []:DOCS
   Common Name (eg, your name or your server's hostname) []:quay-server.example.com
   Email Address []:

   Copy to Clipboard Toggle word wrap

7. Create a configuration file openssl.cnf, specifying the server hostname, for example:

   Example openssl.cnf file

   [req]
   req_extensions = v3_req
   distinguished_name = req_distinguished_name
   [req_distinguished_name]
   [ v3_req ]
   basicConstraints = CA:FALSE
   keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   subjectAltName = @alt_names
   [alt_names]
   DNS.1 = <quay-server.example.com>
   IP.1 = 192.168.1.112

   Copy to Clipboard Toggle word wrap

8. Use the configuration file to generate the certificate ssl.cert:

   $ openssl x509 -req -in ssl.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ssl.cert -days 356 -extensions v3_req -extfile openssl.cnf

   Copy to Clipboard Toggle word wrap

9. Confirm your created certificates and files by entering the following command:

   $ ls /path/to/certificates

   Copy to Clipboard Toggle word wrap

   Example output

   rootCA.key ssl-bundle.cert ssl.key custom-ssl-config-bundle-secret.yaml rootCA.pem ssl.cert
   openssl.cnf rootCA.srl  ssl.csr

   Copy to Clipboard Toggle word wrap

Procedure

1. Copy the certificate file and primary key file to your configuration directory, ensuring they are named ssl.cert and ssl.key respectively:

   cp ~/ssl.cert ~/ssl.key /path/to/configuration_directory

   Copy to Clipboard Toggle word wrap

2. Navigate to the configuration directory by entering the following command:

   $ cd /path/to/configuration_directory

   Copy to Clipboard Toggle word wrap

3. Edit the config.yaml file and specify that you want Red Hat Quay to handle SSL/TLS:

   Example config.yaml file

   # ...
   SERVER_HOSTNAME: <quay-server.example.com>
   ...
   PREFERRED_URL_SCHEME: https
   # ...

   Copy to Clipboard Toggle word wrap

4. Optional: Append the contents of the rootCA.pem file to the end of the ssl.cert file by entering the following command:

   $ cat rootCA.pem >> ssl.cert

   Copy to Clipboard Toggle word wrap

5. Stop the Quay container by entering the following command:

   $ sudo podman stop <quay_container_name>

   Copy to Clipboard Toggle word wrap

6. Restart the registry by entering the following command:

   $ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
     --name=quay \
     -v $QUAY/config:/conf/stack:Z \
     -v $QUAY/storage:/datastorage:Z \
     registry.redhat.io/quay/quay-rhel8:v3.13.7

   Copy to Clipboard Toggle word wrap

Procedure

1. Start the Quay container in configuration mode:

   $ sudo podman run --rm -it --name quay_config -p 80:8080 -p 443:8443 registry.redhat.io/quay/quay-rhel8:v3.13.7 config secret

   Copy to Clipboard Toggle word wrap
2. In the Server Configuration section, select Red Hat Quay handles TLS for SSL/TLS. Upload the certificate file and private key file created earlier, ensuring that the Server Hostname matches the value used when the certificates were created.
3. Validate and download the updated configuration.

4. Stop the Quay container and then restart the registry by entering the following command:

   $ sudo podman rm -f quay
   $ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
   --name=quay \
   -v $QUAY/config:/conf/stack:Z \
   -v $QUAY/storage:/datastorage:Z \
   registry.redhat.io/quay/quay-rhel8:v3.13.7

   Copy to Clipboard Toggle word wrap

Procedure

1. Enter the following command to attempt to log in to the Red Hat Quay registry with SSL/TLS enabled:

   $ sudo podman login quay-server.example.com

   Copy to Clipboard Toggle word wrap

   Example output

   Error: error authenticating creds for "quay-server.example.com": error pinging docker registry quay-server.example.com: Get "https://quay-server.example.com/v2/": x509: certificate signed by unknown authority

   Copy to Clipboard Toggle word wrap

2. Because Podman does not trust self-signed certificates, you must use the --tls-verify=false option:

   $ sudo podman login --tls-verify=false quay-server.example.com

   Copy to Clipboard Toggle word wrap

   Example output

   Login Succeeded!

   Copy to Clipboard Toggle word wrap

   In a subsequent section, you will configure Podman to trust the root Certificate Authority.

Procedure

1. Navigate to your Red Hat Quay registry endpoint, for example, https://quay-server.example.com. If configured correctly, the browser warns of the potential risk:

   

2. Proceed to the log in screen. The browser notifies you that the connection is not secure. For example:

   

   In the following section, you will configure Podman to trust the root Certificate Authority.

Procedure

1. Copy the root CA file to one of /etc/containers/certs.d/ or /etc/docker/certs.d/. Use the exact path determined by the server hostname, and name the file ca.crt:

   $ sudo cp rootCA.pem /etc/containers/certs.d/quay-server.example.com/ca.crt

   Copy to Clipboard Toggle word wrap

2. Verify that you no longer need to use the --tls-verify=false option when logging in to your Red Hat Quay registry:

   $ sudo podman login quay-server.example.com

   Copy to Clipboard Toggle word wrap

   Example output

   Login Succeeded!

   Copy to Clipboard Toggle word wrap

Procedure

1. Enter the following command to copy the rootCA.pem file to the consolidated system-wide trust store:

   $ sudo cp rootCA.pem /etc/pki/ca-trust/source/anchors/

   Copy to Clipboard Toggle word wrap

2. Enter the following command to update the system-wide trust store configuration:

   $ sudo update-ca-trust extract

   Copy to Clipboard Toggle word wrap

3. Optional. You can use the trust list command to ensure that the Quay server has been configured:

   $ trust list | grep quay
       label: quay-server.example.com

   Copy to Clipboard Toggle word wrap

   Now, when you browse to the registry at https://quay-server.example.com, the lock icon shows that the connection is secure:

   

4. To remove the rootCA.pem file from system-wide trust, delete the file and update the configuration:

   $ sudo rm /etc/pki/ca-trust/source/anchors/rootCA.pem

   Copy to Clipboard Toggle word wrap

   $ sudo update-ca-trust extract

   Copy to Clipboard Toggle word wrap

   $ trust list | grep quay

   Copy to Clipboard Toggle word wrap