Include procedures for self-signed cert and Let's Encrypt

2025-07-13 15:18:56 -04:00 · 2025-07-13 15:18:56 -04:00 · 502643b5b0
commit 502643b5b0
parent df7386c60d
1 changed files with 32 additions and 42 deletions
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -714,29 +714,25 @@ sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/registry/config.yml
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/config.yml
 ```

-#### 5.4 Generate TLS Certificate
+#### 5.4 Generate TLS Certificate and Install in Docker Trust Store

 **Choose one of the following options based on whether you have a domain name:**

-### **Option A: Self-Signed Certificate (No Domain Required)**
+---

-This option works with IP addresses and is suitable for development/testing environments.
+#### **Option A: Self-Signed Certificate (No Domain Required)**
+
+**Perform all of these steps if you do NOT have a domain name:**

 ```bash
-# Create certificate directory
+# 1. Generate self-signed certificate
 sudo mkdir -p /opt/registry/certs
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/certs
 cd /opt/registry/certs
-
-# Generate private key (4096-bit RSA)
 sudo -u CI_SERVICE_USER openssl genrsa -out registry.key 4096
-
-# Generate certificate signing request
 sudo -u CI_SERVICE_USER openssl req -new -key registry.key \
    -out registry.csr \
    -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=YOUR_ACTUAL_IP_ADDRESS"
-
-# Create certificate configuration for Subject Alternative Names (SAN)
 sudo -u CI_SERVICE_USER tee registry.conf > /dev/null << EOF
 [req]
 distinguished_name = req_distinguished_name
@ -762,72 +758,66 @@ DNS.2 = localhost
 IP.1 = YOUR_ACTUAL_IP_ADDRESS
 IP.2 = 127.0.0.1
 EOF
-
-# Generate self-signed certificate (valid for 365 days)
 sudo -u CI_SERVICE_USER openssl x509 -req -in registry.csr \
    -signkey registry.key \
    -out registry.crt \
    -days 365 \
    -extensions v3_req \
    -extfile registry.conf
-
-# Set proper permissions
 sudo chmod 600 registry.key
 sudo chmod 644 registry.crt
-
-# Verify certificate
 sudo -u CI_SERVICE_USER openssl x509 -in registry.crt -text -noout

-echo "Self-signed TLS certificate generated successfully!"
-echo "Certificate: /opt/registry/certs/registry.crt"
-echo "Private key: /opt/registry/certs/registry.key"
-echo "Note: This certificate will need to be renewed manually in 365 days"
+# 2. Install certificate into Docker trust store
+sudo mkdir -p /etc/docker/certs.d/registry
+sudo cp /opt/registry/certs/registry.crt /etc/docker/certs.d/registry/ca.crt
+sudo cp /opt/registry/certs/registry.crt /usr/local/share/ca-certificates/registry-ca.crt
+sudo update-ca-certificates
+sudo systemctl restart docker
 ```

-### **Option B: Let's Encrypt Certificate (Domain Required)**
+---

-If you have a domain name pointing to your server, use this option for production-ready certificates.
+#### **Option B: Let's Encrypt Certificate (Domain Required)**
+
+**Perform all of these steps if you DO have a domain name:**

 ```bash
-# Install Certbot and Nginx plugin
+# 1. Generate Let's Encrypt certificate
 sudo apt update
 sudo apt install -y certbot python3-certbot-nginx
-
-# Generate certificate using standalone mode
 sudo certbot certonly --standalone \
    --email your-email@example.com \
    --agree-tos \
    --no-eff-email \
    -d YOUR_DOMAIN_NAME
-
-# Verify certificate generation
 sudo certbot certificates
-
-# Create certificate directory for Caddy
 sudo mkdir -p /opt/registry/certs
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/certs
-
-# Copy Let's Encrypt certificates to registry directory
 sudo cp /etc/letsencrypt/live/YOUR_DOMAIN_NAME/fullchain.pem /opt/registry/certs/registry.crt
 sudo cp /etc/letsencrypt/live/YOUR_DOMAIN_NAME/privkey.pem /opt/registry/certs/registry.key
-
-# Set proper permissions
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/certs/registry.crt
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/certs/registry.key
 sudo chmod 644 /opt/registry/certs/registry.crt
 sudo chmod 600 /opt/registry/certs/registry.key

-echo "Let's Encrypt certificate generated successfully!"
-echo "Certificate: /opt/registry/certs/registry.crt"
-echo "Private key: /opt/registry/certs/registry.key"
-echo "Certificate will auto-renew every 60 days"
+# 2. Install certificate into Docker trust store
+sudo mkdir -p /etc/docker/certs.d/YOUR_DOMAIN_NAME
+sudo cp /opt/registry/certs/registry.crt /etc/docker/certs.d/YOUR_DOMAIN_NAME/ca.crt
+sudo systemctl restart docker
 ```

-**Note**: 
- For **Option A**: Replace `YOUR_ACTUAL_IP_ADDRESS` with your server's IP address
- For **Option B**: Replace `YOUR_DOMAIN_NAME` with your domain name and `your-email@example.com` with your email address
+---

-#### 5.5 Install Certificate into Docker Trust Store
+**Note:**
+- For **Option A**: Replace `YOUR_ACTUAL_IP_ADDRESS` with your server's IP address.
+- For **Option B**: Replace `YOUR_DOMAIN_NAME` with your domain name and `your-email@example.com` with your email address.
+
+---
+
+**After completing the steps for your chosen option, continue with Step 5.7 (Start Docker Registry with Docker Compose).**
+
+#### 5.5 Install Certificate into Docker Trust Store (Option B Only)

 **Important**: This step adds the Let's Encrypt certificate to Docker's trust store. Since Let's Encrypt is a trusted CA, Docker will automatically trust this certificate.

@ -853,7 +843,7 @@ echo "Certificate installation completed successfully!"
 echo "Docker can now connect to the registry securely using your domain name"
 ```

-#### 5.6 Set Up Automatic Certificate Renewal
+#### 5.6 Set Up Automatic Certificate Renewal (Option B Only)

 **Important**: Let's Encrypt certificates expire after 90 days, so we need to set up automatic renewal.