Configuring local registry with self-signed certificate

I think the problem is that you didn't copy the certificate and key in the /etc/docker/certs.d/ folder.

The folder should look like this:

/etc/docker/certs.d/└── openmpi-dockerregistry.local:443   ├── client.cert   ├── client.key   └── ca.crt

In my case I had no ca.crt and it worked fine.

Reference: https://docs.docker.com/engine/security/certificates/

I implemented your setup on my machine, everything worked fine after I copied domain.key and domain.crt (and renamed them) in the /etc/docker/certs.d folder. The only difference was that I used openmpi-dockerregistry as a domain instead of openmpi-dockerregistry.local

You need to edit your /etc/ssl/openssl.cnf to have the FQDN (openmpi-dockerregistry.local) and the IP address in the IP SANs list.Add as follows:

[ v3_ca ]# Extensions for a typical CAsubjectAltName = @alt_names[ alt_names ]IP.1 = <IP>DNS.1 = openmpi-dockerregistry.local

Now generate the cert using the following command:

openssl req -config /etc/ssl/openssl.cnf \                                   -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \  -x509 -days 365 -out certs/domain.crt \  -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=openmpi-dockerregistry.local"

Check whether the cert has the IP and the DNS in the IP SANs list with this command:

openssl x509 -in domain.crt -text -noout

You should see something like this in the output if all went right:

X509v3 extensions:            X509v3 Subject Alternative Name:                IP Address:<IP>, DNS:openmpi-dockerregistry.local

Now copy this cert in the client docker certs directory in the following location:

/etc/docker/certs.d/openmpi-dockerregistry.local/ca.crt

You should be good now.

I had the same problem. Turned out I did not add a CN or Common Name when creating the cert. I remade the certs, remembering to include the CN, restarted the registry, and recopied the cert over to the other nodes. This solved my problem.