Hello Guys,

I am trying to install my developed app on IBM SOAR version 42.

I created a private repository separately from the APP HOST and IBM SOAR.

I followed the Guide through this link  https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=repository-configuring-private.

and I located the self-signed certificate of the registry in this path "/etc/pki/ca-trust/source/anchors" and then used the update command "update-ca-trust extract"

but I receive the following error

ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to resolve reference "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to do request: Head https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1: x509: certificate signed by unknown authority

and when I use the curl command from the app host server to the specified URL, it connects successfully without the need to ignore the certificate

curl https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1

so kindly need your support for this.












------------------------------
Omar Darweesh
------------------------------

I'm not an expert of configuring AppHost with self signed certificates. But some thoughts?

I'm wondering if you need additional certificate information for your situation? Do you have an intermediate or root certificate that needs to be imported?

You may want to use openssl to view the certificate information:

openssl s_client -connect https://172.16.28.30:5000

And see what comes out.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Thu November 04, 2021 11:50 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hello Guys,

I am trying to install my developed app on IBM SOAR version 42.

I created a private repository separately from the APP HOST and IBM SOAR.

I followed the Guide through this link  https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=repository-configuring-private.

and I located the self-signed certificate of the registry in this path "/etc/pki/ca-trust/source/anchors" and then used the update command "update-ca-trust extract"

but I receive the following error

ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to resolve reference "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to do request: Head https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1: x509: certificate signed by unknown authority

and when I use the curl command from the app host server to the specified URL, it connects successfully without the need to ignore the certificate

curl https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1

so kindly need your support for this.












------------------------------
Omar Darweesh
------------------------------

Hi Ben,

Thanks for your reply.

actually, I created the certificate and pass it to the container during building.

I created the certificate using the following commands:

mkdir -p /certificates

cd certificates

openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout domain.key \
  -x509 -days 365 -out domain.crt

then created the container using the certificate I generated in the previous step.

sudo docker run -d -p 5000:5000 --restart=always --name registry \
  -v /certificates:/certificates \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certificates/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certificates/domain.key \
  registry:2

------------------------------
Omar Darweesh
------------------------------

Original Message:
Sent: Fri November 05, 2021 08:37 AM
From: Ben Lurie
Subject: configuration test failed for custom apps that using private repository.

I'm not an expert of configuring AppHost with self signed certificates. But some thoughts?

I'm wondering if you need additional certificate information for your situation? Do you have an intermediate or root certificate that needs to be imported?

You may want to use openssl to view the certificate information:

openssl s_client -connect https://172.16.28.30:5000

And see what comes out.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Thu November 04, 2021 11:50 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hello Guys,

I am trying to install my developed app on IBM SOAR version 42.

I created a private repository separately from the APP HOST and IBM SOAR.

I followed the Guide through this link  https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=repository-configuring-private.

and I located the self-signed certificate of the registry in this path "/etc/pki/ca-trust/source/anchors" and then used the update command "update-ca-trust extract"

but I receive the following error

ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to resolve reference "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to do request: Head https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1: x509: certificate signed by unknown authority

and when I use the curl command from the app host server to the specified URL, it connects successfully without the need to ignore the certificate

curl https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1

so kindly need your support for this.












------------------------------
Omar Darweesh
------------------------------

When you run the following command on the AppHost:

openssl s_client -connect https://172.16.28.30:5000

Does it show all the expected certificates?

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Mon November 08, 2021 05:04 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hi Ben,

Thanks for your reply.

actually, I created the certificate and pass it to the container during building.

I created the certificate using the following commands:

mkdir -p /certificatescd certificatesopenssl req \  -newkey rsa:4096 -nodes -sha256 -keyout domain.key \  -x509 -days 365 -out domain.crt

then created the container using the certificate I generated in the previous step.

sudo docker run -d -p 5000:5000 --restart=always --name registry \  -v /certificates:/certificates \  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certificates/domain.crt \  -e REGISTRY_HTTP_TLS_KEY=/certificates/domain.key \  registry:2

------------------------------
Omar Darweesh

Original Message:
Sent: Fri November 05, 2021 08:37 AM
From: Ben Lurie
Subject: configuration test failed for custom apps that using private repository.

I'm not an expert of configuring AppHost with self signed certificates. But some thoughts?

I'm wondering if you need additional certificate information for your situation? Do you have an intermediate or root certificate that needs to be imported?

You may want to use openssl to view the certificate information:

openssl s_client -connect https://172.16.28.30:5000

And see what comes out.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Thu November 04, 2021 11:50 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hello Guys,

I am trying to install my developed app on IBM SOAR version 42.

I created a private repository separately from the APP HOST and IBM SOAR.

I followed the Guide through this link  https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=repository-configuring-private.

and I located the self-signed certificate of the registry in this path "/etc/pki/ca-trust/source/anchors" and then used the update command "update-ca-trust extract"

but I receive the following error

ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to resolve reference "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to do request: Head https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1: x509: certificate signed by unknown authority

and when I use the curl command from the app host server to the specified URL, it connects successfully without the need to ignore the certificate

curl https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1

so kindly need your support for this.












------------------------------
Omar Darweesh
------------------------------

Hi Ben,

This is the result of the command.

[root@PC1 ~]# openssl s_client -connect 172.16.28.30:5000
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg
verify error:num=18:self signed certificate
verify return:1
depth=0 C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg
verify return:1
---
Certificate chain
0 s:C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg
i:C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFyDCCA7CgAwIBAgIUBxi07z+Zn9Za+lGyOAUw2B36+DIwDQYJKoZIhvcNAQEL
BQAwazELMAkGA1UEBhMCZWcxCzAJBgNVBAgMAmVnMQswCQYDVQQHDAJlZzELMAkG
A1UECgwCZWcxCzAJBgNVBAsMAmVnMRUwEwYDVQQDDAwxNzIuMTYuMjguMzAxETAP
BgkqhkiG9w0BCQEWAmVnMB4XDTIxMTEwMzEyMDMyMVoXDTIyMTEwMzEyMDMyMVow
azELMAkGA1UEBhMCZWcxCzAJBgNVBAgMAmVnMQswCQYDVQQHDAJlZzELMAkGA1UE
CgwCZWcxCzAJBgNVBAsMAmVnMRUwEwYDVQQDDAwxNzIuMTYuMjguMzAxETAPBgkq
hkiG9w0BCQEWAmVnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmkDk
6z5MYcOJcI2iCP6IIXsb8DOixTaH5qna04yaNHB4ZDWSTDAX1LV1Galpwc1wdaKC
HKFy/G5KTh38KcDZkfA28uAwh9IU7WSEeeRcyYDTZjJ3lheDa8fKC4DmdKp60rxT
kDZa0dXXIYs+pTObYTpY6w/iMmXYvTpPgD1YYimqYjltFwbJJP1nB+CX+VHNMj9M
ooMab6LCbOm3Tvwx7VYMEZONSW3NEImfMFovkrccSZTNzBUrEpI2dTh94zE5UT5a
IQpbkWZuDPEO8NG1zFesc+Z40kbTPrJMZpYzyYHPRh2zme0YdxyWT7USEaOqX4NF
Tl0KEGAhA2bWHu2cy7pvXynnqX/Tgjsus1ueNOlNZuQK+f/7N2D3X9RuMXnYKUWU
nemUqUm9A7FMgux8uEDkvD3MS0OVYP0hQvZHA5nDCe52X4dE/37lyZlc7WUAfuY7
yiQjhXtYNOANPj8SbpAPetaeZQlbfqVZDJok6hI+XPnlFUmDAhLYXbdiNyB2C1qV
3J5Q06CfSRwCjCes16BErtlV5Ujb7L77POoPW3a+S9h1zvqNIKzl2bT0qQE8SQcH
bZQlOMD9MnVrwyBfcOpVecs+2CP8t+dW2xewMQPX22VtbLKRSEx2fiZrYAWW7vfY
ciZRoAnix1RKS1v3yAxMwQ3kHhEpq6aYEHT2S30CAwEAAaNkMGIwDwYDVR0RBAgw
BocErBAcHjAdBgNVHQ4EFgQU1yPf6+FmG9rLF9hEKA7yfcWRVnQwHwYDVR0jBBgw
FoAU1yPf6+FmG9rLF9hEKA7yfcWRVnQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQsFAAOCAgEAh4vOEkJsSczjUg6Czp9Xw/Tclmn0uauv1AAKiXGHLZAXwfO5
E8cifqAhpn0fPLNRvs+Jht5+wzHvZpARUktVdu5vMfzsjdjukYijR1ukvzE8FLTJ
jxLueaPJm1ka2PXsnSPAU+OETKcwMytf+Hhl0rFNsLyG3WnQLk5NSTlnynXHucFI
Slnq/ElEWp9AaB/J1nvQytanIS/zko7Y8a0uCvgGuj3+4i7SSoqZywbasRZABWrj
/N3qzTZ3YX9TuesAC5QoMcFFBlzld3BDJy/A+EzLFEajTygHY6NGXpIAwV90Ohvp
m7/Z+CaMsuYVX6qWfZ77ephsTD3Y7RCFiDI5g+3GFFkZgQFwgLSScNqkRNMbWhL2
PsSLEA559V8pX51Kx9mW3bXeMmvYzKEbJSoWUnKRVhSB8A0YAvqK+TURVdgvP/Da
WFECbgI7krmBTdL4KrcpkCL/h7owa9jv+WCpG26U1vgPQLT7VufVzuGRTCoFiXnM
Q4cBPqyQzkYB9f8/+8J8crGe/RL68dXussrUyvVdqO+P9FgQ7MBvBgqkyl/yIF2C
NDlOeen7BckdTdBlaLIxiuLpzRYQGC9hZLCLDLpHC6XpL3nM7zgncDZgZepheUdC
aIjgvzDeQKmf43tVghE6t3PDMpjeJz2rpxcV2zWq9jow0oVHvz1Gi0lvHxs=
-----END CERTIFICATE-----
subject=C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg

issuer=C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2313 bytes and written 382 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 24398E5614BBCF01EB1D641E2D9A5736A097CD7012E98FB91FC1D4F8E52524B5
Session-ID-ctx:
Master-Key: 4ED3A19581565AC63ABF4819423812BE942E109588F303001C529670AC769CF261A36E1BF04184591BFB9C66673EF89A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 96 de e4 76 cd da 44 be-c2 af 95 d4 f5 5a d6 d4 ...v..D......Z..
0010 - ee 44 ca c5 d6 d9 7a 7a-1a 64 e7 eb b8 51 3c 2a .D....zz.d...Q<*
0020 - 3f 12 81 b4 29 a9 7a e0-82 60 6a 05 90 fe e9 7f ?...).z..`j.....
0030 - 8a 08 45 83 eb d7 cc b6-70 b5 38 e9 9e d6 69 41 ..E.....p.8...iA
0040 - e0 e6 41 48 1b 0d 86 7a-87 e1 d8 c9 41 a7 d4 b8 ..AH...z....A...
0050 - c5 3f 49 99 87 53 46 ce-21 ed 6f 07 c1 08 08 fb .?I..SF.!.o.....
0060 - 85 66 b0 be 80 34 a4 5d-98 ee de 86 41 36 70 f9 .f...4.]....A6p.
0070 - 32 cc f7 1f 91 29 2c 29- 2....),)

Start Time: 1636870378
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no

------------------------------
Omar Darweesh
------------------------------

Original Message:
Sent: Mon November 08, 2021 08:02 AM
From: Ben Lurie
Subject: configuration test failed for custom apps that using private repository.

When you run the following command on the AppHost:

openssl s_client -connect https://172.16.28.30:5000

Does it show all the expected certificates?

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Mon November 08, 2021 05:04 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hi Ben,

Thanks for your reply.

actually, I created the certificate and pass it to the container during building.

I created the certificate using the following commands:

mkdir -p /certificatescd certificatesopenssl req \  -newkey rsa:4096 -nodes -sha256 -keyout domain.key \  -x509 -days 365 -out domain.crt

then created the container using the certificate I generated in the previous step.

sudo docker run -d -p 5000:5000 --restart=always --name registry \  -v /certificates:/certificates \  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certificates/domain.crt \  -e REGISTRY_HTTP_TLS_KEY=/certificates/domain.key \  registry:2

------------------------------
Omar Darweesh

Original Message:
Sent: Fri November 05, 2021 08:37 AM
From: Ben Lurie
Subject: configuration test failed for custom apps that using private repository.

I'm not an expert of configuring AppHost with self signed certificates. But some thoughts?

I'm wondering if you need additional certificate information for your situation? Do you have an intermediate or root certificate that needs to be imported?

You may want to use openssl to view the certificate information:

openssl s_client -connect https://172.16.28.30:5000

And see what comes out.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Thu November 04, 2021 11:50 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hello Guys,

I am trying to install my developed app on IBM SOAR version 42.

I created a private repository separately from the APP HOST and IBM SOAR.

I followed the Guide through this link  https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=repository-configuring-private.

and I located the self-signed certificate of the registry in this path "/etc/pki/ca-trust/source/anchors" and then used the update command "update-ca-trust extract"

but I receive the following error

ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to resolve reference "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to do request: Head https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1: x509: certificate signed by unknown authority

and when I use the curl command from the app host server to the specified URL, it connects successfully without the need to ignore the certificate

curl https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1

so kindly need your support for this.












------------------------------
Omar Darweesh
------------------------------

It looks like openssl reported a verification error because of a self signed certificate. I'm not an expert on this but I think you need to ensure the certificates are generated correctly, both the root and server certificate, verify with openssl before moving on to using it. I came across this which may point in the appropriate direction: https://stackoverflow.com/questions/20409534/how-does-an-ssl-certificate-chain-bundle-work.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Sun November 14, 2021 01:16 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hi Ben,

This is the result of the command.

[root@PC1 ~]# openssl s_client -connect 172.16.28.30:5000
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg
verify error:num=18:self signed certificate
verify return:1
depth=0 C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg
verify return:1
---
Certificate chain
0 s:C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg
i:C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFyDCCA7CgAwIBAgIUBxi07z+Zn9Za+lGyOAUw2B36+DIwDQYJKoZIhvcNAQEL
BQAwazELMAkGA1UEBhMCZWcxCzAJBgNVBAgMAmVnMQswCQYDVQQHDAJlZzELMAkG
A1UECgwCZWcxCzAJBgNVBAsMAmVnMRUwEwYDVQQDDAwxNzIuMTYuMjguMzAxETAP
BgkqhkiG9w0BCQEWAmVnMB4XDTIxMTEwMzEyMDMyMVoXDTIyMTEwMzEyMDMyMVow
azELMAkGA1UEBhMCZWcxCzAJBgNVBAgMAmVnMQswCQYDVQQHDAJlZzELMAkGA1UE
CgwCZWcxCzAJBgNVBAsMAmVnMRUwEwYDVQQDDAwxNzIuMTYuMjguMzAxETAPBgkq
hkiG9w0BCQEWAmVnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmkDk
6z5MYcOJcI2iCP6IIXsb8DOixTaH5qna04yaNHB4ZDWSTDAX1LV1Galpwc1wdaKC
HKFy/G5KTh38KcDZkfA28uAwh9IU7WSEeeRcyYDTZjJ3lheDa8fKC4DmdKp60rxT
kDZa0dXXIYs+pTObYTpY6w/iMmXYvTpPgD1YYimqYjltFwbJJP1nB+CX+VHNMj9M
ooMab6LCbOm3Tvwx7VYMEZONSW3NEImfMFovkrccSZTNzBUrEpI2dTh94zE5UT5a
IQpbkWZuDPEO8NG1zFesc+Z40kbTPrJMZpYzyYHPRh2zme0YdxyWT7USEaOqX4NF
Tl0KEGAhA2bWHu2cy7pvXynnqX/Tgjsus1ueNOlNZuQK+f/7N2D3X9RuMXnYKUWU
nemUqUm9A7FMgux8uEDkvD3MS0OVYP0hQvZHA5nDCe52X4dE/37lyZlc7WUAfuY7
yiQjhXtYNOANPj8SbpAPetaeZQlbfqVZDJok6hI+XPnlFUmDAhLYXbdiNyB2C1qV
3J5Q06CfSRwCjCes16BErtlV5Ujb7L77POoPW3a+S9h1zvqNIKzl2bT0qQE8SQcH
bZQlOMD9MnVrwyBfcOpVecs+2CP8t+dW2xewMQPX22VtbLKRSEx2fiZrYAWW7vfY
ciZRoAnix1RKS1v3yAxMwQ3kHhEpq6aYEHT2S30CAwEAAaNkMGIwDwYDVR0RBAgw
BocErBAcHjAdBgNVHQ4EFgQU1yPf6+FmG9rLF9hEKA7yfcWRVnQwHwYDVR0jBBgw
FoAU1yPf6+FmG9rLF9hEKA7yfcWRVnQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQsFAAOCAgEAh4vOEkJsSczjUg6Czp9Xw/Tclmn0uauv1AAKiXGHLZAXwfO5
E8cifqAhpn0fPLNRvs+Jht5+wzHvZpARUktVdu5vMfzsjdjukYijR1ukvzE8FLTJ
jxLueaPJm1ka2PXsnSPAU+OETKcwMytf+Hhl0rFNsLyG3WnQLk5NSTlnynXHucFI
Slnq/ElEWp9AaB/J1nvQytanIS/zko7Y8a0uCvgGuj3+4i7SSoqZywbasRZABWrj
/N3qzTZ3YX9TuesAC5QoMcFFBlzld3BDJy/A+EzLFEajTygHY6NGXpIAwV90Ohvp
m7/Z+CaMsuYVX6qWfZ77ephsTD3Y7RCFiDI5g+3GFFkZgQFwgLSScNqkRNMbWhL2
PsSLEA559V8pX51Kx9mW3bXeMmvYzKEbJSoWUnKRVhSB8A0YAvqK+TURVdgvP/Da
WFECbgI7krmBTdL4KrcpkCL/h7owa9jv+WCpG26U1vgPQLT7VufVzuGRTCoFiXnM
Q4cBPqyQzkYB9f8/+8J8crGe/RL68dXussrUyvVdqO+P9FgQ7MBvBgqkyl/yIF2C
NDlOeen7BckdTdBlaLIxiuLpzRYQGC9hZLCLDLpHC6XpL3nM7zgncDZgZepheUdC
aIjgvzDeQKmf43tVghE6t3PDMpjeJz2rpxcV2zWq9jow0oVHvz1Gi0lvHxs=
-----END CERTIFICATE-----
subject=C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg

issuer=C = eg, ST = eg, L = eg, O = eg, OU = eg, CN = 172.16.28.30, emailAddress = eg

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2313 bytes and written 382 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 24398E5614BBCF01EB1D641E2D9A5736A097CD7012E98FB91FC1D4F8E52524B5
Session-ID-ctx:
Master-Key: 4ED3A19581565AC63ABF4819423812BE942E109588F303001C529670AC769CF261A36E1BF04184591BFB9C66673EF89A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 96 de e4 76 cd da 44 be-c2 af 95 d4 f5 5a d6 d4 ...v..D......Z..
0010 - ee 44 ca c5 d6 d9 7a 7a-1a 64 e7 eb b8 51 3c 2a .D....zz.d...Q<*
0020 - 3f 12 81 b4 29 a9 7a e0-82 60 6a 05 90 fe e9 7f ?...).z..`j.....
0030 - 8a 08 45 83 eb d7 cc b6-70 b5 38 e9 9e d6 69 41 ..E.....p.8...iA
0040 - e0 e6 41 48 1b 0d 86 7a-87 e1 d8 c9 41 a7 d4 b8 ..AH...z....A...
0050 - c5 3f 49 99 87 53 46 ce-21 ed 6f 07 c1 08 08 fb .?I..SF.!.o.....
0060 - 85 66 b0 be 80 34 a4 5d-98 ee de 86 41 36 70 f9 .f...4.]....A6p.
0070 - 32 cc f7 1f 91 29 2c 29- 2....),)

Start Time: 1636870378
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no

------------------------------
Omar Darweesh

Original Message:
Sent: Mon November 08, 2021 08:02 AM
From: Ben Lurie
Subject: configuration test failed for custom apps that using private repository.

When you run the following command on the AppHost:

openssl s_client -connect https://172.16.28.30:5000

Does it show all the expected certificates?

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Mon November 08, 2021 05:04 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hi Ben,

Thanks for your reply.

actually, I created the certificate and pass it to the container during building.

I created the certificate using the following commands:

mkdir -p /certificatescd certificatesopenssl req \  -newkey rsa:4096 -nodes -sha256 -keyout domain.key \  -x509 -days 365 -out domain.crt

then created the container using the certificate I generated in the previous step.

sudo docker run -d -p 5000:5000 --restart=always --name registry \  -v /certificates:/certificates \  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certificates/domain.crt \  -e REGISTRY_HTTP_TLS_KEY=/certificates/domain.key \  registry:2

------------------------------
Omar Darweesh

Original Message:
Sent: Fri November 05, 2021 08:37 AM
From: Ben Lurie
Subject: configuration test failed for custom apps that using private repository.

I'm not an expert of configuring AppHost with self signed certificates. But some thoughts?

I'm wondering if you need additional certificate information for your situation? Do you have an intermediate or root certificate that needs to be imported?

You may want to use openssl to view the certificate information:

openssl s_client -connect https://172.16.28.30:5000

And see what comes out.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Thu November 04, 2021 11:50 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hello Guys,

I am trying to install my developed app on IBM SOAR version 42.

I created a private repository separately from the APP HOST and IBM SOAR.

I followed the Guide through this link  https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=repository-configuring-private.

and I located the self-signed certificate of the registry in this path "/etc/pki/ca-trust/source/anchors" and then used the update command "update-ca-trust extract"

but I receive the following error

ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to resolve reference "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to do request: Head https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1: x509: certificate signed by unknown authority

and when I use the curl command from the app host server to the specified URL, it connects successfully without the need to ignore the certificate

curl https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1

so kindly need your support for this.












------------------------------
Omar Darweesh
------------------------------

Hi Omar,
You can refer to using Free-SSL (Zero-SSL, Let's Encrypt, ...)
I developed several app with App-Host. It seems to work-fine.

------------------------------
tuan nguyen
------------------------------

Original Message:
Sent: Thu November 04, 2021 11:50 AM
From: Omar Darweesh
Subject: configuration test failed for custom apps that using private repository.

Hello Guys,

I am trying to install my developed app on IBM SOAR version 42.

I created a private repository separately from the APP HOST and IBM SOAR.

I followed the Guide through this link  https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=repository-configuring-private.

and I located the self-signed certificate of the registry in this path "/etc/pki/ca-trust/source/anchors" and then used the update command "update-ca-trust extract"

but I receive the following error

ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to resolve reference "172.16.28.30:5000/ibmresilient/nour_nono:1.0.1": failed to do request: Head https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1: x509: certificate signed by unknown authority

and when I use the curl command from the app host server to the specified URL, it connects successfully without the need to ignore the certificate

curl https://172.16.28.30:5000/v2/ibmresilient/nour_nono/manifests/1.0.1

so kindly need your support for this.












------------------------------
Omar Darweesh
------------------------------