Certificate_create.certificate: Unable to parse certificate when using local small step certificate authority

I am trying to create a custom app using an image I pushed to my truenas app forgejo. I can see the package within the forgejo GUI. However when I go to use it in Apps > Install via YAML, I see this error message: Please check /var/log/app_lifecycle.log for more details

app_lifecycle.log shows me this: tls: failed to verify certificate: x509: certificate signed by unknown authority

So then I go to Apps > Configuration > Sign-in to a Docker Registry and use the same url and credentials I used locally to tag and push the image successfully to forgejo instance. The error I receive in the Docker Registry is:

error:

[EINVAL] app_registry_create.uri: Invalid credentials for registry
middlewared.service_exception.ValidationErrors: [EINVAL] app_registry_create.uri: Invalid credentials for registry

from trunas shell:

$ sudo docker login forgejo-truenas.example.com
Username: username
Password: ***************
Error response from daemon: Get “https://forgejo-truenas.example.com/v2/”: tls: failed to verify certificate: x509: certificate signed by unknown authority

So then I decide I need to add my local CA, created by small-step, which I use as a self-sign certificate authority. I seem to be able to add my Certificate Authority using the root.crt file when I paste the contents.

When I go to add the certificate & key that was generated by Traefik and Small Step CA, I see these errors in Add Certificates:

[EINVAL] certificate_create.certificate: Not a valid certificate
[EINVAL] certificate_create.privatekey: A valid private key is required, with a passphrase if one has been set.
[EINVAL] certificate_create.certificate: Unable to parse certificate

I am using both small step CA and Traefik to request and sign the certificates, which I can use in my local browsers for forgejo and all other applications.

TL;DR: I’m tring to use a custom docker image in a custom truenas app. However I cannot connect to the forgejo registry to retrieve the image because the locally signed Cert & CA aren’t valid in the eyes of TrueNas.

I am able to:

• add my small step CA using the public key only
• access forgejo instance via the https url
• login to the forgejo docker registry via local terminal, outside of TrueNas
• build, tag, and push my image to forgejo - I can see it as a package in the GUI

I am unable to:

• add my small step CA with both public and private key
• add the certificate & key from the step-ca-acme.json entry
• login to the forgejo docker registry via truenas shell or add it via the Docker Registries under Apps

Hi there. First ever post on here. I was searching for my problem, and found your post.

Have you considered defining your repo to /etc/docker/daemon.json within the ‘insecure-repositories’?

I’m just going through the process of configuring my TrueNAS server to accept my (also on TrueNAS) Gitea repository, found your post, and this is what I’ve had to do to get the Docker within TrueNAS to accept my http (not https) repo.

It’s located at: /etc/docker/daemon.json

e.g. right now, I’m adding this to mine:

"insecure-registries": [ "192.168.100.10:30008" ],

Tip: Once you’ve edited the file, you can validate it via:

python3 -m json.tool /etc/docker/daemon.json

Once it’s added and validated, just restart the Docker daemon, and try again.

Caveats:

• I’m one of those CISSP cyber guys, and I’m assuming you may be happy taking a “risk: accepted” stance around implementing a https validating exclusion around your host.
• I’m working on the assumption that the ‘insecure-repositories’ means, in your instance, it will skip cert validation of the host.
• If you’re not comfortable bypassing cert checks, this isn’t for you and apologies!

I’ve just done the above, restarted my docker daemon, added my local repo in to TrueNAS as an ‘other’ Docker registry, and it’s now successfully showing in the UI and no longer gives the error you referenced.

Thanks for the reply. I’m hoping to try and implement what I need from this blog. It appears to address most of what I’m trying to have in place to enable the use of the container registry.