• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[SOLVED] Add Trusted CA
#1
Hello,

how is it possible to add a trusted CA to the NetPi (Portainer.io)? That is needed because it acceppts Container just from Trusted Repositories.

Best Regards
PBulach
  Reply
#2
Hello,

on netPI today's used portainer.io version, respectively the installed Docker version accepts any kind of repository that is trusted. How to create a local installation yourself is described in this forum topic here: https://www.netiot.com/de/forum/?tx_typo...a5add99dd2
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#3
Hello Armin,

that is exactly the post from where my question is.
There is the following written:
"netPI pulls images from trusted Docker registry servers only. Trusted servers provide a trusted certificate from an official Certificate Authority (CA) to rely on its digital signature."
From my point of view is it needed to add own CAs. Because the way you describe is not a real way for a air gapped datacenter. My information says that the certificate from LetsEncrypt will expire after 80 days.

The question is still open:
how is it possible to add a trusted CA to the NetPi (Portainer.io)?

Thank you.
  Reply
#4
Hello again,

today in portainer you specifiy the image to be loaded by its image name, right? Right next to the box where you enter the image name you have another box named Registry. If you keep it empty portainer.io respectively Docker will automatically load an image from Docker Hub. This is the standard way.

Supposing you have now a personal and local repository server running at 192.168.20.1:5000 then you can enter this server and its ip address along with its port into the empty registry box instead. In this case portainer.io and docker will pull the image from this server instead. The current portainer.io version we have used on netPI does not offer to handle registries in lists like the today's version. So you have to enter them manually when you want to create or pull the container.

I agree that your sever needs a certificate that lasts longer than 80 days. This is why in future we plan to enable Docker to pull images also from untrusted registries. But this feature cannot be provided by portainer.io and needs a separate place to enter it within the Edge Gateway Manager of netPI. But we are not in the state to provide this feature yet.

You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#5
Hello again,

why not add a possibility in the Edge Gateway Manager of netPi to add CAs?

I think that would be a normal feature of a device. This could be done on Windows (also as User!), Android, iPhone, Windows Mobile,...

Because untrusted registry is also not the best for a air-gapped datacenter, as it could not verified if there is a man in the middle...
  Reply
#6
But why is that necessary? I have a local server at home in my local network running under Linux. It is set up as Docker repository and gave it a CA trusted certificate. Without touching my netPI at all it loads my images from this local server without any problem cause it recognizes the trusted CA certificate. The only thing I have to do is entering the local server address when I am creating the container.

Armin
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#7
Hello,
Maybe I miss understand something, but how to get a certificate, from a official CA, for a localmachine with the name for example "NetPiDeployment"?
Which will not expire after few days, which not require a dyndns domain and so on.
There are from my point of view many different situation at our customers.
e.g.
-there are many big companies which have their own CA (and get from them certificates for the machines) or that also "official" CA for you?
-there are companies which have their own CA, but do not get certificates from them for the machine (some restrictions from their IT department)
-companies without own CA.

From my point of view you need for all 3 cases the possibility to add the CA (maybe the own created or the CA from the customer - at least when you have a machine which need to use the certificate from the customer)

Or do I miss understand something with the CA and your "official" trusted statement?
  Reply
#8
Yes you misunderstood it. When netPI wants to pull an image from a repository server, then this server needs reply with a certificate that is trusted and cross signed by a CA. So the CA signature is a thing the server has to guarantee, not netPI. It is like you go to a https:// supported web site and your browser reports "this site is insecure". Usually in your browser you have to trust it anyway or decline. With netPI as it is implemented today, you can't select to trust it anyway even if is not authorized by a CA.

My example just shows you how you get a CA for a server for free. Of course if you want to have a long term CA certificate you have to get a certificate from https://www.globalsign.com/en/certificat...t-signing/ for example that lasts 10 years. But this is a matter of costs.

We understood the demand that Docker has to trust also untrusted repos ... then it is like you accept in your browser to continue to load an untrusted https:// web site. But at the moment we don't have it.

Thx
armin


You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#9
Hello Armin,

Sorry, but you say what I mean more or less.

In the browser (or the OS) you could also add a additional trusted CA (not just certificate). And in many companies the "company CA" gets added from their IT departments at PC deployment or over policies.

When do you think will it possible to add a trusted CA to the netpi? As you mention that this feature is missing.
  Reply
#10
So I got your point now.

Today I am not able to provide any timeline. We have the PKI handling on our roadmap, but not for this quarter of the year.

I will not promise too much, but I see this coming not before end of 2nd quarter (end of june) of this year.

Thx
Armin
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Setup trusted Docker registry on a Raspberry Pi to host netPI containers Armin@netPI 12 652 January-31st-2019, 06:47 PM
Last Post: Armin@netPI
  Create own trusted Docker registry server Armin@netPI 0 107 January-27th-2018, 02:55 PM
Last Post: Armin@netPI

Forum Jump:


Users browsing this thread: 1 Guest(s)