Advanced Topics

Overview

Using a Self-signed SSL Certificate

You can use self-signed SSL certificates with docker push/pull commands, however for this to work, you need to specify the --insecure-registry daemon flag for each insecure registry.

For full details see Docker documentation.

For example, if you are running Docker as a service, edit the /etc/default/docker file, and append the --insecure-registry flag with your registry URL to the DOCKER_OPTS variable as in the following example:

Edit the DOCKER_OPTS variable

DOCKER_OPTS="-H unix:///var/run/docker.sock --insecure-registry artprod.company.com"

For this to take effect, you need to restart the Docker service.

If you are using Boot2Docker, refer to the Boot2Docker documentation for Insecure Registry.

If you do not make the required modifications to the --insecure-registry daemon flag, you should get the following error:

Error message

v2 ping attempt failed with error: Get https://artprod.company.com/v2/: x509: cannot validate certificate for artprod.company.com because it doesn't contain any IP SANs

Using Your Own Certificate

The NGINX configuration provided with Artifactory out-of-the-box references the internally bundled certificate and key which you may replace with your own certificate and key.

For details, see Managing TLS Certificates.Manage TLS Certificates

Setting Your Credentials Manually

If you are unable to log in to Docker, you may need to set your credentials manually.

The Docker command line tool supports authenticating sensitive operations, such as push, with the server using basic HTTP authentication.

To enforce authenticated access to docker repositories you need to provide the following parameters to the Docker configuration file.

The Docker endpoint URL (must use HTTPS for basic authentication to work)
Your Artifactory username and password (formatted username:password) as Base64 encoded strings
Your email address

You can use the following command to get these strings directly from Artifactory and copy/paste them into your ~/.dockercfg file:

sudo

If you are using Docker commands with "sudo" or as a root user (for example after installing the Docker client), note that the Docker configuration file should be placed under /root/.dockercfg

Getting .dockercfg entries directly from Artifactory

$ curl -uadmin:password "https://artprod.company.com/<v1|v2>/auth"
{
 "https://artprod.company.com" : {
   "auth" : "YWRtaW46QVA1N05OaHZTMnM5Qk02RkR5RjNBVmF4TVFl",
   "email" : "admin@email.com"
 }
}

The Docker configuration file may contain a separate authentication block for each registry that you wish to access.

Below is an example with two URL endpoints:

{
        "https://artprod.company.com": {
                "auth":"YWRtaW46cGFzc3dvcmQ=",
                "email":"myemail@email.com"
        },
        "https://artprod2.company.com": {
                "auth":"YWRtaW46cGFzc3dvcmQ=",
                "email":"myemail@email.com"
        }
}

Authenticating via OAuth

Artifactory supports authentication of the Docker client using OAuth through the default GitHub OAuth provider. When authenticating using OAuth you will not need to provide additional credentials to execute docker login with Artifactory.

To set up OAuth authentication for your Docker client, execute the following steps:

Under General OAuth SettingsOAuth SSO, make sure Auto Create Users is selcted to make sure a user record is created for you the first time you log in to Artifactory with OAuth.
Log in to Artifactory with OAuth using your Git Enterprise account

Once you are logged in to Artifactory through your Git Enterprise OAuth account, your Docker client will automatically detect this and use OAuth for authentication, so you do not need to provide additional credentials.