Hey everyone! I'm working on setting up some CI/CD tools at my company and need your opinions on something. I'm trying to set up a Docker registry, and I've been considering two options: either create an SSL certificate for it or add it to Docker's insecure hosts whitelist. I reached out to the sysadmins for a DNS server, thinking it would be simpler than using the server's IP addresses, but they only want to provide me with "*.domain.local" DNS servers. This setup complicates things because I can't generate a signed certificate that would work across all VMs. I believe I'd need to establish my own Certificate Authority (CA) for the registry.company.local domain, which would involve installing that CA on every machine. Some applications, like Oracle Java and Python requests, have their own certificate authority registries, which adds to the challenge. To overcome these hurdles, I thought about getting a signed wildcard certificate for a non-existent domain like *.intra.company.com from a recognized CA but using it internally. However, the support team is hesitant to proceed with this, fearing it might cause issues. I'm curious to know if there are problems with this approach or if there's a better solution out there.
1 Answer
If it's just for internal use, why not get a certificate signed by your organization's CA? I understand the reluctance to issue a wildcard certificate, though, as that's generally considered bad practice.
I see your point about the wildcard being a bad idea. My goal is to remove the need to install a CA on every machine due to some apps using their own certificate store. I envisioned it like this: having registry.intra.company.com point to a local IP in the DNS, with no public record available, and then securing it with a certificate from a trusted CA.