I'm currently implementing a private Docker Registry server with nginx configured to forward https traffic securely to the running Docker Registry (i.e. docker-compose) instance on a private network (with DNS, DHCP configured).
I have the entire setup working as expected, but had to create self-signed certificates as I'm not permitted to use "Let's Encrypt" (hard requirement). I've deployed the .crt file to /usr/local/share/ca-certificates on all the Ubuntu hosts on my network, and updated the certificate store (i.e. via sudo update-ca-certificates -f).
However, even though the certificate is "trusted" (from the step above), the certificate is still registered as "self-signed", and the only way I can get Docker Registry working fully is by creating a file, /etc/docker/daemon.json, with the following contents (assuming my Docker Registry instance is running on the registry host on my lan domain):
{
"insecure-registries" : [ "registry.lan:5000" ]
}
This causes some functionality to break (i.e. there are some plugins that won't work if "insecure registries" are enabled).
Question
How can I configure my private network (i.e. assuming it isn't even connected to the internet most of the time) so that all machines on the network "fully trust" the certificate (i.e. so the cert is "publicly trusted" amongst hosts on the local network)? i.e. what command can I run or config file can I tweak?
This seems like a possible solution: create a CA plus server key on my private network.
Thank you.
