Installing DTR on Ubuntu / Debian

dtr.md

wget -qO- 'https://pgp.mit.edu/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e' | sudo apt-key add --import
sudo apt-get update && sudo apt-get install apt-transport-https
sudo apt-get install -y linux-image-extra-virtual
sudo apt-get install -y linux-image-extra-$(uname -r)
sudo reboot

echo "deb https://packages.docker.com/1.9/apt/repo ubuntu-trusty main" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get update && sudo apt-get install docker-engine
sudo usermod -aG docker ubuntu
newgrp docker
docker info

Should see aufs

Containers: 0
Images: 0
Server Version: 1.9.1-cs3
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 0
 Dirperm1 Supported: false
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.13.0-74-generic
Operating System: Ubuntu 14.04.2 LTS
CPUs: 2
Total Memory: 3.859 GiB
Name: ip-172-31-57-92
ID: Z3QF:VEAS:KTU6:4EHI:TVU7:ZXGV:FWJT:6BAB:7Y6H:KE2S:TORB:VGQP
WARNING: No swap limit support

Installing DTR

sudo bash -c "$(sudo docker run docker/trusted-registry install)"

On clients, set up certs:

export DOMAIN_NAME=dtr.thedomain.com
openssl s_client -connect $DOMAIN_NAME:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/$DOMAIN_NAME.crt
sudo update-ca-certificates
sudo service docker restart

Play

docker login $DOMAIN_NAME
Username: devuser
Password:
Email:
WARNING: login credentials saved in /home/ubuntu/.docker/config.json
Login Succeeded
ubuntu@ip-172-31-57-92:~$ cat /home/ubuntu/.docker/config.json
{
	"auths": {
		"ec2-54-88-124-203.compute-1.amazonaws.com": {
			"auth": "ZGV2dXNlcjpQYXNzd29yZDEyMw==",
			"email": ""
		}
	}
}

With DOCKER_CONTENT_TRUST

[ec2-user@ip-10-0-46-112 ~]$ DTR_HOST=ec2-54-174-154-122.compute-1.amazonaws.com
[ec2-user@ip-10-0-46-112 ~]$ mkdir -p ~/.docker/tls/$DTR_HOST ; openssl s_client -showcerts -connect $DTR_HOST:443 2>/dev/null < /dev/null | openssl x509 -outform PEM 2>/dev/null > ~/.docker/tls/$DTR_HOST/ca.crt
[ec2-user@ip-10-0-46-112 ~]$ echo $DTR_HOST
ec2-54-174-154-122.compute-1.amazonaws.com

[ec2-user@ip-10-0-46-112 ~]$ cat ~/.docker/tls/$DTR_HOST/ca.crt
-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIRAIVlXlA/NSNOVeRlgocaf3UwDQYJKoZIhvcNAQELBQAw
fDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UECxMGRG9ja2Vy
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMTMwMQYDVQQDEyplYzItNTQtMTc0LTE1
NC0xMjIuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcNMTYwMjE4MTYxNTU1WhcN
MTcwMjE3MTYxNTU1WjB8MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGRG9ja2VyMQ8w
DQYDVQQLEwZEb2NrZXIxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xMzAxBgNVBAMT
KmVjMi01NC0xNzQtMTU0LTEyMi5jb21wdXRlLTEuYW1hem9uYXdzLmNvbTCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALODfigAGpqKqYOhqgCWaYXJuyUz
b0qwkdC7gQgXb4vCb/wQ87u65TWs7XgSwvRX+66A95XbSDfQ9AoMbjWYGHxwV9nK
Z2YUI45lXavEsZrqejwsKj+jhw6mFyLC5kg/vIzKojV9gFOkiyndwZsBd2OMorSB
M0IqivOej2rgAEmQC4rvId1zyIHi3llWJEY2EBMgCQQcBeNUF0zXxpXLrDeCAJ6n
+3vA/B2zATC/6nTbaC5uYznoNAiz/HY6SEPxF/BAENhhnp53jAN0kyi5WCMYBfMT
acQVtotsEjkZUA7a7V5CNolg1/U5wMDPWSRHJ7zvmkbRGUon/dHvw7LvwEWnUzoY
PzZpW2/OAxFx/zwVFPdi0NzP47IkbKcoYccyGrDmvQsF7V5tGJP03wOyTzFsVQdt
/RqDmFWHn/NRYfPXLjvZe1O9flMfpoDD9or7717UHIJfiIaNv1Qs0DDAwYkU9iA5
xyFriQmHNjUOZ6Ee4B9Ey7kDR/C+MfQ+r8y0jBTdeXxq5A/M5p7cC1MpB5jeH/lM
eDf+CxHzszvdP7eUulAbLfiOxIiwPFaLkbyR/SkYCNCilAtgqBLwUVcO4XWQ6hZ1
h78QUfsSJgrMHPGJzlyVESHHOVDF6g2tN7hEQGCWHuLhE8BTyxUy4h9UFaJQVDpz
ordcIUvRLkruVDN/AgMBAAGjYzBhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQAfYWckSpCY8xiyYHP+o2Q+6ODSjAfBgNVHSMEGDAW
gBQAfYWckSpCY8xiyYHP+o2Q+6ODSjANBgkqhkiG9w0BAQsFAAOCAgEAhTwlvoK0
9lXNycLzJzpFCf3APMkWR6m5s+WWrPagO8pqzsJVxvXYTINZWNk7M2pLnIdFkJDJ
gdiaxW/EJHt2idk78Nn0Wky6C1PTwFUrGY0VnlVbOPOEUghF+2mUsOGkYvRCP6eY
xXZDsgoYz3QkmJP85tTfz2qG3bNCAjOQF88SOVM4urGeLNy2naqOk/tFQcDUp3t7
g2Ls6sYtpvuS3tit4HwHlU/k2t9YWkufFeYhUcWSSVw8SLuTO9ulysPrTS1Y6WTu
N26Wl/1SFzbueZB1523ybrunIqVhlm4ytTUeWAPSiq+RvGp07ixfvTo7LfPXqVvI
S/VrySE+Hl3caTcUXJ7istq6xBmtpPadStJ4RGBND0+8sXNDnUT9cTfGFqD3zVmL
903Td0cbXpaCOh3e/0Edj1LVxQvHYHcwvmhdejA2K0S56+Zf6nmPhjQeVzve2sib
IKotvRV3K4MLuZgxTzAzayt9m5T9K6D3ttw4BAs9TigoaTgMe1YDMyvz2AeYYorj
6iYs3s66fny2Av/9GDabxq3YUCFkrUBUX/t1/l/KgohvGLEo7Xh0izdtPKEHr1UN
ThqChJ3l3aCv8Jt6AT5oJdrny8LGGnACI9FpVc+KIujeFydt9f6UqVoWEKPB4WA+
eMG1NTSCGgehtE4jQujr/q2ouWfPwR/UGyU=
-----END CERTIFICATE-----
[ec2-user@ip-10-0-46-112 ~]$ docker push ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx:v0.1.18-signed
The push refers to a repository [ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx]
5f70bf18a086: Layer already exists
3f3324023e75: Layer already exists
f0d7d68f89e5: Layer already exists
917c0fc99b35: Layer already exists
v0.1.18-signed: digest: sha256:9a8aaa97409904b2d29ab9963c5ced35113935bf15fd1eb327ae5a17ea14927b size: 5676
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID dd15906:

524 anoop ~  [0]$>> ssh d2
Last login: Thu Mar 24 20:48:33 2016 from ip72-219-205-196.dc.dc.cox.net
[ec2-user@ip-10-0-46-112 ~]$ docker ps
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS              PORTS                     NAMES
a18eb6e289c1        docker/ucp-swarm:1.0.1   "/swarm join --discov"   28 hours ago        Up 28 hours         2375/tcp                  ucp-swarm-join
02fff790dca3        docker/ucp-proxy:1.0.1   "/bin/run"               28 hours ago        Up 28 hours         0.0.0.0:12376->2376/tcp   ucp-proxy
[ec2-user@ip-10-0-46-112 ~]$ docker login ec2-54-174-154-122.compute-1.amazonaws.com
Username: admin
Password:
Email:
Error response from daemon: invalid registry endpoint https://ec2-54-174-154-122.compute-1.amazonaws.com/v0/: unable to ping registry endpoint https://ec2-54-174-154-122.compute-1.amazonaws.com/v0/
v2 ping attempt failed with error: Get https://ec2-54-174-154-122.compute-1.amazonaws.com/v2/: x509: certificate signed by unknown authority
[ec2-user@ip-10-0-46-112 ~]$ sudo mkdir -p /etc/docker/certs.d/ec2-54-174-154-122.compute-1.amazonaws.com
[ec2-user@ip-10-0-46-112 ~]$ openssl s_client -connect ec2-54-174-154-122.compute-1.amazonaws.com:443 -showcerts </dev/null 2>/dev/null | sudo tee !$/ca.crt
openssl s_client -connect ec2-54-174-154-122.compute-1.amazonaws.com:443 -showcerts </dev/null 2>/dev/null | sudo tee /etc/docker/certs.d/ec2-54-174-154-122.compute-1.amazonaws.com/ca.crt
CONNECTED(00000003)

---
Certificate chain
 0 s:/C=US/O=Docker/OU=Docker/L=San Francisco/CN=ec2-54-174-154-122.compute-1.amazonaws.com
   i:/C=US/O=Docker/OU=Docker/L=San Francisco/CN=ec2-54-174-154-122.compute-1.amazonaws.com
-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIRAIVlXlA/NSNOVeRlgocaf3UwDQYJKoZIhvcNAQELBQAw
fDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UECxMGRG9ja2Vy
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMTMwMQYDVQQDEyplYzItNTQtMTc0LTE1
NC0xMjIuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcNMTYwMjE4MTYxNTU1WhcN
MTcwMjE3MTYxNTU1WjB8MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGRG9ja2VyMQ8w
DQYDVQQLEwZEb2NrZXIxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xMzAxBgNVBAMT
KmVjMi01NC0xNzQtMTU0LTEyMi5jb21wdXRlLTEuYW1hem9uYXdzLmNvbTCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALODfigAGpqKqYOhqgCWaYXJuyUz
b0qwkdC7gQgXb4vCb/wQ87u65TWs7XgSwvRX+66A95XbSDfQ9AoMbjWYGHxwV9nK
Z2YUI45lXavEsZrqejwsKj+jhw6mFyLC5kg/vIzKojV9gFOkiyndwZsBd2OMorSB
M0IqivOej2rgAEmQC4rvId1zyIHi3llWJEY2EBMgCQQcBeNUF0zXxpXLrDeCAJ6n
+3vA/B2zATC/6nTbaC5uYznoNAiz/HY6SEPxF/BAENhhnp53jAN0kyi5WCMYBfMT
acQVtotsEjkZUA7a7V5CNolg1/U5wMDPWSRHJ7zvmkbRGUon/dHvw7LvwEWnUzoY
PzZpW2/OAxFx/zwVFPdi0NzP47IkbKcoYccyGrDmvQsF7V5tGJP03wOyTzFsVQdt
/RqDmFWHn/NRYfPXLjvZe1O9flMfpoDD9or7717UHIJfiIaNv1Qs0DDAwYkU9iA5
xyFriQmHNjUOZ6Ee4B9Ey7kDR/C+MfQ+r8y0jBTdeXxq5A/M5p7cC1MpB5jeH/lM
eDf+CxHzszvdP7eUulAbLfiOxIiwPFaLkbyR/SkYCNCilAtgqBLwUVcO4XWQ6hZ1
h78QUfsSJgrMHPGJzlyVESHHOVDF6g2tN7hEQGCWHuLhE8BTyxUy4h9UFaJQVDpz
ordcIUvRLkruVDN/AgMBAAGjYzBhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQAfYWckSpCY8xiyYHP+o2Q+6ODSjAfBgNVHSMEGDAW
gBQAfYWckSpCY8xiyYHP+o2Q+6ODSjANBgkqhkiG9w0BAQsFAAOCAgEAhTwlvoK0
9lXNycLzJzpFCf3APMkWR6m5s+WWrPagO8pqzsJVxvXYTINZWNk7M2pLnIdFkJDJ
gdiaxW/EJHt2idk78Nn0Wky6C1PTwFUrGY0VnlVbOPOEUghF+2mUsOGkYvRCP6eY
xXZDsgoYz3QkmJP85tTfz2qG3bNCAjOQF88SOVM4urGeLNy2naqOk/tFQcDUp3t7
g2Ls6sYtpvuS3tit4HwHlU/k2t9YWkufFeYhUcWSSVw8SLuTO9ulysPrTS1Y6WTu
N26Wl/1SFzbueZB1523ybrunIqVhlm4ytTUeWAPSiq+RvGp07ixfvTo7LfPXqVvI
S/VrySE+Hl3caTcUXJ7istq6xBmtpPadStJ4RGBND0+8sXNDnUT9cTfGFqD3zVmL
903Td0cbXpaCOh3e/0Edj1LVxQvHYHcwvmhdejA2K0S56+Zf6nmPhjQeVzve2sib
IKotvRV3K4MLuZgxTzAzayt9m5T9K6D3ttw4BAs9TigoaTgMe1YDMyvz2AeYYorj
6iYs3s66fny2Av/9GDabxq3YUCFkrUBUX/t1/l/KgohvGLEo7Xh0izdtPKEHr1UN
ThqChJ3l3aCv8Jt6AT5oJdrny8LGGnACI9FpVc+KIujeFydt9f6UqVoWEKPB4WA+
eMG1NTSCGgehtE4jQujr/q2ouWfPwR/UGyU=
-----END CERTIFICATE-----

---
Server certificate
subject=/C=US/O=Docker/OU=Docker/L=San Francisco/CN=ec2-54-174-154-122.compute-1.amazonaws.com
issuer=/C=US/O=Docker/OU=Docker/L=San Francisco/CN=ec2-54-174-154-122.compute-1.amazonaws.com

---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits

---
SSL handshake has read 2445 bytes and written 375 bytes

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 48F3D3380B846BB4DA6100FC37155A5BD13CBEAFD26C3B5DC76C643B7ACF9097
    Session-ID-ctx:
    Master-Key: B98E8D7EDF2FCBFC5A0B429E907BA4350E6A25133947B9E0689C1AA938BCAB4F273B25FF7BDDA1973DB5BF8B3398541E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 18 cb 17 3a 58 50 e2 9a-61 4a 4e 46 4f fb 5e de   ...:XP..aJNFO.^.
    0010 - 0e 98 02 2b 96 79 a9 ec-94 89 1b 84 b2 62 11 c9   ...+.y.......b..
    0020 - 72 1c 7d 0c 4e b2 71 a7-5a cc db e3 a9 1e e0 9a   r.}.N.q.Z.......
    0030 - 99 57 73 81 ec 0c f1 a4-16 0d ce 89 ae 00 4a de   .Ws...........J.
    0040 - b7 6d 21 0b cc 16 e6 c2-f2 98 5e 1e 98 55 e3 3f   .m!.......^..U.?
    0050 - 53 0e e6 b4 de a1 9c 34-df 3d 5d 4f 29 55 08 31   S......4.=]O)U.1
    0060 - 12 d2 fd 66 7c dd 98 4d-eb 88 88 c7 b4 c8 c8 58   ...f|..M.......X
    0070 - b4 fc 4e 29 b8 7b 7a 7d-da b7 59 5b 27 23 5e 5f   ..N).{z}..Y['#^_
    0080 - 1e fc e1 dc a5 9b 6f f8-2f b8 1b 06 c1 e0 43 19   ......o./.....C.
    0090 - 0e 8e 4f c7 04 29 59 1b-e8 d3 78 4e c0 19 0c 26   ..O..)Y...xN...&
    00a0 - 77 35 6c 6c b7 35 64 f0-6d 23 2c 45 f7 1a 1a 96   w5ll.5d.m#,E....
    Start Time: 1458956834
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

---
[ec2-user@ip-10-0-46-112 ~]$ cat !$
cat /etc/docker/certs.d/ec2-54-174-154-122.compute-1.amazonaws.com/ca.crt
cat: /etc/docker/certs.d/ec2-54-174-154-122.compute-1.amazonaws.com/ca.crt: Permission denied
[ec2-user@ip-10-0-46-112 ~]$ sudo !!
sudo cat /etc/docker/certs.d/ec2-54-174-154-122.compute-1.amazonaws.com/ca.crt
CONNECTED(00000003)

---
Certificate chain
 0 s:/C=US/O=Docker/OU=Docker/L=San Francisco/CN=ec2-54-174-154-122.compute-1.amazonaws.com
   i:/C=US/O=Docker/OU=Docker/L=San Francisco/CN=ec2-54-174-154-122.compute-1.amazonaws.com
-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIRAIVlXlA/NSNOVeRlgocaf3UwDQYJKoZIhvcNAQELBQAw
fDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UECxMGRG9ja2Vy
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMTMwMQYDVQQDEyplYzItNTQtMTc0LTE1
NC0xMjIuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcNMTYwMjE4MTYxNTU1WhcN
MTcwMjE3MTYxNTU1WjB8MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGRG9ja2VyMQ8w
DQYDVQQLEwZEb2NrZXIxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xMzAxBgNVBAMT
KmVjMi01NC0xNzQtMTU0LTEyMi5jb21wdXRlLTEuYW1hem9uYXdzLmNvbTCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALODfigAGpqKqYOhqgCWaYXJuyUz
b0qwkdC7gQgXb4vCb/wQ87u65TWs7XgSwvRX+66A95XbSDfQ9AoMbjWYGHxwV9nK
Z2YUI45lXavEsZrqejwsKj+jhw6mFyLC5kg/vIzKojV9gFOkiyndwZsBd2OMorSB
M0IqivOej2rgAEmQC4rvId1zyIHi3llWJEY2EBMgCQQcBeNUF0zXxpXLrDeCAJ6n
+3vA/B2zATC/6nTbaC5uYznoNAiz/HY6SEPxF/BAENhhnp53jAN0kyi5WCMYBfMT
acQVtotsEjkZUA7a7V5CNolg1/U5wMDPWSRHJ7zvmkbRGUon/dHvw7LvwEWnUzoY
PzZpW2/OAxFx/zwVFPdi0NzP47IkbKcoYccyGrDmvQsF7V5tGJP03wOyTzFsVQdt
/RqDmFWHn/NRYfPXLjvZe1O9flMfpoDD9or7717UHIJfiIaNv1Qs0DDAwYkU9iA5
xyFriQmHNjUOZ6Ee4B9Ey7kDR/C+MfQ+r8y0jBTdeXxq5A/M5p7cC1MpB5jeH/lM
eDf+CxHzszvdP7eUulAbLfiOxIiwPFaLkbyR/SkYCNCilAtgqBLwUVcO4XWQ6hZ1
h78QUfsSJgrMHPGJzlyVESHHOVDF6g2tN7hEQGCWHuLhE8BTyxUy4h9UFaJQVDpz
ordcIUvRLkruVDN/AgMBAAGjYzBhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQAfYWckSpCY8xiyYHP+o2Q+6ODSjAfBgNVHSMEGDAW
gBQAfYWckSpCY8xiyYHP+o2Q+6ODSjANBgkqhkiG9w0BAQsFAAOCAgEAhTwlvoK0
9lXNycLzJzpFCf3APMkWR6m5s+WWrPagO8pqzsJVxvXYTINZWNk7M2pLnIdFkJDJ
gdiaxW/EJHt2idk78Nn0Wky6C1PTwFUrGY0VnlVbOPOEUghF+2mUsOGkYvRCP6eY
xXZDsgoYz3QkmJP85tTfz2qG3bNCAjOQF88SOVM4urGeLNy2naqOk/tFQcDUp3t7
g2Ls6sYtpvuS3tit4HwHlU/k2t9YWkufFeYhUcWSSVw8SLuTO9ulysPrTS1Y6WTu
N26Wl/1SFzbueZB1523ybrunIqVhlm4ytTUeWAPSiq+RvGp07ixfvTo7LfPXqVvI
S/VrySE+Hl3caTcUXJ7istq6xBmtpPadStJ4RGBND0+8sXNDnUT9cTfGFqD3zVmL
903Td0cbXpaCOh3e/0Edj1LVxQvHYHcwvmhdejA2K0S56+Zf6nmPhjQeVzve2sib
IKotvRV3K4MLuZgxTzAzayt9m5T9K6D3ttw4BAs9TigoaTgMe1YDMyvz2AeYYorj
6iYs3s66fny2Av/9GDabxq3YUCFkrUBUX/t1/l/KgohvGLEo7Xh0izdtPKEHr1UN
ThqChJ3l3aCv8Jt6AT5oJdrny8LGGnACI9FpVc+KIujeFydt9f6UqVoWEKPB4WA+
eMG1NTSCGgehtE4jQujr/q2ouWfPwR/UGyU=
-----END CERTIFICATE-----

---
Server certificate
subject=/C=US/O=Docker/OU=Docker/L=San Francisco/CN=ec2-54-174-154-122.compute-1.amazonaws.com
issuer=/C=US/O=Docker/OU=Docker/L=San Francisco/CN=ec2-54-174-154-122.compute-1.amazonaws.com

---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits

---
SSL handshake has read 2445 bytes and written 375 bytes

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 48F3D3380B846BB4DA6100FC37155A5BD13CBEAFD26C3B5DC76C643B7ACF9097
    Session-ID-ctx:
    Master-Key: B98E8D7EDF2FCBFC5A0B429E907BA4350E6A25133947B9E0689C1AA938BCAB4F273B25FF7BDDA1973DB5BF8B3398541E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 18 cb 17 3a 58 50 e2 9a-61 4a 4e 46 4f fb 5e de   ...:XP..aJNFO.^.
    0010 - 0e 98 02 2b 96 79 a9 ec-94 89 1b 84 b2 62 11 c9   ...+.y.......b..
    0020 - 72 1c 7d 0c 4e b2 71 a7-5a cc db e3 a9 1e e0 9a   r.}.N.q.Z.......
    0030 - 99 57 73 81 ec 0c f1 a4-16 0d ce 89 ae 00 4a de   .Ws...........J.
    0040 - b7 6d 21 0b cc 16 e6 c2-f2 98 5e 1e 98 55 e3 3f   .m!.......^..U.?
    0050 - 53 0e e6 b4 de a1 9c 34-df 3d 5d 4f 29 55 08 31   S......4.=]O)U.1
    0060 - 12 d2 fd 66 7c dd 98 4d-eb 88 88 c7 b4 c8 c8 58   ...f|..M.......X
    0070 - b4 fc 4e 29 b8 7b 7a 7d-da b7 59 5b 27 23 5e 5f   ..N).{z}..Y['#^_
    0080 - 1e fc e1 dc a5 9b 6f f8-2f b8 1b 06 c1 e0 43 19   ......o./.....C.
    0090 - 0e 8e 4f c7 04 29 59 1b-e8 d3 78 4e c0 19 0c 26   ..O..)Y...xN...&
    00a0 - 77 35 6c 6c b7 35 64 f0-6d 23 2c 45 f7 1a 1a 96   w5ll.5d.m#,E....
    Start Time: 1458956834
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

---
[ec2-user@ip-10-0-46-112 ~]$ docker login ec2-54-174-154-122.compute-1.amazonaws.com
Username: admin
Password:
Email:
WARNING: login credentials saved in /home/ec2-user/.docker/config.json
Login Succeeded
[ec2-user@ip-10-0-46-112 ~]$ git clone https://github.com/docker/notary
Cloning into 'notary'...
remote: Counting objects: 14593, done.
remote: Compressing objects: 100% (38/38), done.
remote: Total 14593 (delta 11), reused 0 (delta 0), pack-reused 14555
Receiving objects: 100% (14593/14593), 24.30 MiB | 27.58 MiB/s, done.
Resolving deltas: 100% (8138/8138), done.
[ec2-user@ip-10-0-46-112 ~]$ cd notary/
[ec2-user@ip-10-0-46-112 notary]$ ll
total 116
drwxrwxr-x.  2 ec2-user ec2-user    66 Mar 25 21:48 buildscripts
drwxrwxr-x.  2 ec2-user ec2-user    41 Mar 25 21:48 certs
-rw-rw-r--.  1 ec2-user ec2-user  1758 Mar 25 21:48 CHANGELOG.md
-rw-rw-r--.  1 ec2-user ec2-user  2584 Mar 25 21:48 circle.yml
drwxrwxr-x.  3 ec2-user ec2-user  4096 Mar 25 21:48 client
drwxrwxr-x.  5 ec2-user ec2-user    59 Mar 25 21:48 cmd
-rw-rw-r--.  1 ec2-user ec2-user  2384 Mar 25 21:48 const.go
-rw-rw-r--.  1 ec2-user ec2-user  3944 Mar 25 21:48 CONTRIBUTING.md
-rw-rw-r--.  1 ec2-user ec2-user   243 Mar 25 21:48 CONTRIBUTORS
-rwxrwxr-x.  1 ec2-user ec2-user   429 Mar 25 21:48 coverpkg.sh
drwxrwxr-x.  2 ec2-user ec2-user  4096 Mar 25 21:48 cryptoservice
-rw-rw-r--.  1 ec2-user ec2-user   862 Mar 25 21:48 development.yml
-rw-rw-r--.  1 ec2-user ec2-user   844 Mar 25 21:48 docker-compose.yml
-rw-rw-r--.  1 ec2-user ec2-user  1162 Mar 25 21:48 Dockerfile
drwxrwxr-x.  5 ec2-user ec2-user  4096 Mar 25 21:48 docs
drwxrwxr-x.  3 ec2-user ec2-user  4096 Mar 25 21:48 fixtures
drwxrwxr-x.  2 ec2-user ec2-user    37 Mar 25 21:48 Godeps
-rw-rw-r--.  1 ec2-user ec2-user 11309 Mar 25 21:48 LICENSE
-rw-rw-r--.  1 ec2-user ec2-user  1340 Mar 25 21:48 MAINTAINERS
-rw-rw-r--.  1 ec2-user ec2-user  7163 Mar 25 21:48 Makefile
drwxrwxr-x.  4 ec2-user ec2-user    65 Mar 25 21:48 migrations
drwxrwxr-x.  2 ec2-user ec2-user    59 Mar 25 21:48 misc
drwxrwxr-x.  3 ec2-user ec2-user    39 Mar 25 21:48 notarymysql
-rw-rw-r--.  1 ec2-user ec2-user     4 Mar 25 21:48 NOTARY_VERSION
drwxrwxr-x.  2 ec2-user ec2-user    51 Mar 25 21:48 passphrase
drwxrwxr-x.  2 ec2-user ec2-user    44 Mar 25 21:48 proto
-rw-rw-r--.  1 ec2-user ec2-user  9290 Mar 25 21:48 README.md
-rw-rw-r--.  1 ec2-user ec2-user   418 Mar 25 21:48 ROADMAP.md
drwxrwxr-x.  7 ec2-user ec2-user  4096 Mar 25 21:48 server
-rw-rw-r--.  1 ec2-user ec2-user   757 Mar 25 21:48 server.Dockerfile
drwxrwxr-x.  6 ec2-user ec2-user    90 Mar 25 21:48 signer
-rw-rw-r--.  1 ec2-user ec2-user   848 Mar 25 21:48 signer.Dockerfile
drwxrwxr-x.  3 ec2-user ec2-user  4096 Mar 25 21:48 trustmanager
drwxrwxr-x. 10 ec2-user ec2-user  4096 Mar 25 21:48 tuf
drwxrwxr-x.  2 ec2-user ec2-user    90 Mar 25 21:48 utils
drwxrwxr-x.  6 ec2-user ec2-user    79 Mar 25 21:48 vendor
drwxrwxr-x.  2 ec2-user ec2-user    23 Mar 25 21:48 version
[ec2-user@ip-10-0-46-112 notary]$ curl -L https://github.com/docker/compose/releases/download/1.6.3/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
-bash: /usr/local/bin/docker-compose: Permission denied
[ec2-user@ip-10-0-46-112 notary]$ sudo su
[root@ip-10-0-46-112 notary]# curl -L https://github.com/docker/compose/releases/download/1.6.3/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    21    0    21    0     0    173      0 --:--:-- --:--:-- --:--:--   175
[root@ip-10-0-46-112 notary]# chmod +x !$
chmod +x /usr/local/bin/docker-compose
[root@ip-10-0-46-112 notary]# exit
exit
[ec2-user@ip-10-0-46-112 notary]$ docker-compose up -d
/usr/local/bin/docker-compose: line 1: {error:Not Found}: command not found
[ec2-user@ip-10-0-46-112 notary]$ file docker-compose
docker-compose: cannot open (No such file or directory)
[ec2-user@ip-10-0-46-112 notary]$ sudo su -
Last login: Fri Mar 25 21:49:17 EDT 2016 on pts/0
[root@ip-10-0-46-112 ~]# curl -L https://github.com/docker/compose/releases/download/1.6.3/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    21    0    21    0     0    178      0 --:--:-- --:--:-- --:--:--   179
[root@ip-10-0-46-112 ~]# ^3^2^
curl -L https://github.com/docker/compose/releases/download/1.6.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   600    0   600    0     0   5252      0 --:--:-- --:--:-- --:--:--  5263
100 7743k  100 7743k    0     0  24.6M      0 --:--:-- --:--:-- --:--:-- 78.6M
[root@ip-10-0-46-112 ~]# exit
logout
[ec2-user@ip-10-0-46-112 notary]$ docker-compose up -d
Pulling mysql (mariadb:10.1.10)...
10.1.10: Pulling from library/mariadb
03e1855d4f31: Pull complete
a3ed95caeb02: Pull complete
ea9cb3d7d346: Pull complete
e47839e262bb: Pull complete
f568a56c1fd0: Pull complete
cc98c1dfbf81: Pull complete
98a99d2efdc4: Pull complete
0b304232c8e6: Pull complete
d65a44f4573e: Pull complete
Digest: sha256:10d0179f08a4fb0c785142ca73367921f46a93c2ee7c84831ae3543522156a6c
Status: Downloaded newer image for mariadb:10.1.10
Creating notary_mysql_1
Building signer
Step 1 : FROM golang:1.6.0
1.6.0: Pulling from library/golang
fdd5d7827f33: Pull complete
a3ed95caeb02: Pull complete
0f35d0fe50cc: Pull complete
7b40647e93b7: Pull complete
28935209ff25: Pull complete
fa005ca2f4d3: Pull complete
985550cdcff5: Pull complete
35ec3ef7e77d: Pull complete
Digest: sha256:82045f2a0e33d9d6f813722bc0c7920ba956709f026b8aa7a54f97f8ba2648f4
Status: Downloaded newer image for golang:1.6.0
 ---> 2529f72145a7
Step 2 : MAINTAINER David Lawrence "[email protected]"
 ---> Running in 5c779f25cace
 ---> b9411eaee50e
Removing intermediate container 5c779f25cace
Step 3 : RUN apt-get update && apt-get install -y     libltdl-dev     --no-install-recommends     && rm -rf /var/lib/apt/lists/*
 ---> Running in 00cb556ba6f6
Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]
Ign http://httpredir.debian.org jessie InRelease
Get:2 http://httpredir.debian.org jessie Release.gpg [2373 B]
Get:3 http://httpredir.debian.org jessie Release [148 kB]
Get:4 http://security.debian.org jessie/updates/main amd64 Packages [277 kB]
Get:5 http://httpredir.debian.org jessie/main amd64 Packages [9034 kB]
Get:6 http://httpredir.debian.org jessie-updates InRelease [142 kB]
Get:7 http://httpredir.debian.org jessie-updates/main amd64 Packages [5019 B]
Fetched 9672 kB in 2s (3747 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  libltdl7
Suggested packages:
  libtool-doc
Recommended packages:
  libtool
The following NEW packages will be installed:
  libltdl-dev libltdl7
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 203 kB of archives.
After this operation, 1053 kB of additional disk space will be used.
Get:1 http://httpredir.debian.org/debian/ jessie/main libltdl7 amd64 2.4.2-1.11 [45.2 kB]
Get:2 http://httpredir.debian.org/debian/ jessie/main libltdl-dev amd64 2.4.2-1.11 [157 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 203 kB in 0s (288 kB/s)
Selecting previously unselected package libltdl7:amd64.
(Reading database ... 14702 files and directories currently installed.)
Preparing to unpack .../libltdl7_2.4.2-1.11_amd64.deb ...
Unpacking libltdl7:amd64 (2.4.2-1.11) ...
Selecting previously unselected package libltdl-dev:amd64.
Preparing to unpack .../libltdl-dev_2.4.2-1.11_amd64.deb ...
Unpacking libltdl-dev:amd64 (2.4.2-1.11) ...
Setting up libltdl7:amd64 (2.4.2-1.11) ...
Setting up libltdl-dev:amd64 (2.4.2-1.11) ...
Processing triggers for libc-bin (2.19-18+deb8u3) ...
 ---> 5f8b272a17b1
Removing intermediate container 00cb556ba6f6
Step 4 : EXPOSE 4444
 ---> Running in 53bf37cd65bf
 ---> 8ae3cc960ea2
Removing intermediate container 53bf37cd65bf
Step 5 : RUN go get github.com/mattes/migrate
 ---> Running in c0a40701c391
 ---> b4665e38952a
Removing intermediate container c0a40701c391
Step 6 : ENV NOTARYPKG github.com/docker/notary
 ---> Running in ead2f0ed559a
 ---> b25fa81828e9
Removing intermediate container ead2f0ed559a
Step 7 : ENV NOTARY_SIGNER_DEFAULT_ALIAS "timestamp_1"
 ---> Running in 7c85d51048ff
 ---> 7c8104cc3f6e
Removing intermediate container 7c85d51048ff
Step 8 : ENV NOTARY_SIGNER_TIMESTAMP_1 "testpassword"
 ---> Running in 63f8dbfa5360
 ---> cc27862d4eb1
Removing intermediate container 63f8dbfa5360
Step 9 : COPY . /go/src/github.com/docker/notary
 ---> e54066d1b52a
Removing intermediate container 2ff580f7fd0f
Step 10 : WORKDIR /go/src/${NOTARYPKG}
 ---> Running in 3e50fda8478a
 ---> 89136b31fd73
Removing intermediate container 3e50fda8478a
Step 11 : RUN go install     -tags pkcs11     -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`"     ${NOTARYPKG}/cmd/notary-signer
 ---> Running in ef4b10272108
 ---> a8d34f6c62a0
Removing intermediate container ef4b10272108
Step 12 : ENTRYPOINT notary-signer
 ---> Running in f8259157315a
 ---> 0361475cf6c4
Removing intermediate container f8259157315a
Step 13 : CMD -config=fixtures/signer-config-local.json
 ---> Running in d7e0220220dc
 ---> ab165794be83
Removing intermediate container d7e0220220dc
Successfully built ab165794be83
Creating notary_signer_1
Building server
Step 1 : FROM golang:1.6.0
 ---> 2529f72145a7
Step 2 : MAINTAINER David Lawrence "[email protected]"
 ---> Using cache
 ---> b9411eaee50e
Step 3 : RUN apt-get update && apt-get install -y     libltdl-dev     --no-install-recommends     && rm -rf /var/lib/apt/lists/*
 ---> Using cache
 ---> 5f8b272a17b1
Step 4 : EXPOSE 4443
 ---> Running in ff1749af4e72
 ---> 459442817a93
Removing intermediate container ff1749af4e72
Step 5 : RUN go get github.com/mattes/migrate
 ---> Running in 05af180a3a11
 ---> d8e5d3a95b2a
Removing intermediate container 05af180a3a11
Step 6 : ENV NOTARYPKG github.com/docker/notary
 ---> Running in 46091e4ac079
 ---> f830dbf9ba99
Removing intermediate container 46091e4ac079
Step 7 : COPY . /go/src/github.com/docker/notary
 ---> c16c248a0ef3
Removing intermediate container fbadb9f33f0a
Step 8 : WORKDIR /go/src/${NOTARYPKG}
 ---> Running in 08038137a355
 ---> 899c64045ae6
Removing intermediate container 08038137a355
Step 9 : RUN go install     -tags pkcs11     -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`"     ${NOTARYPKG}/cmd/notary-server
 ---> Running in 2c1fcd829375
 ---> d53a28a1b58f
Removing intermediate container 2c1fcd829375
Step 10 : ENTRYPOINT notary-server
 ---> Running in 927e38795b2d
 ---> 3ab4f6471a9a
Removing intermediate container 927e38795b2d
Step 11 : CMD -config=fixtures/server-config-local.json
 ---> Running in c4cbd5edc2fc
 ---> fa4949f6f7e1
Removing intermediate container c4cbd5edc2fc
Successfully built fa4949f6f7e1
Creating notary_server_1
ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information.
If you encounter this issue regularly because of slow network conditions, consider setting COMPOSE_HTTP_TIMEOUT to a higher value (current value: 60).
[ec2-user@ip-10-0-46-112 notary]$
[ec2-user@ip-10-0-46-112 notary]$
[ec2-user@ip-10-0-46-112 notary]$ docker-compose up -d
notary_mysql_1 is up-to-date
notary_signer_1 is up-to-date
notary_server_1 is up-to-date
[ec2-user@ip-10-0-46-112 notary]$ curl http://169.254.269.254/latest/meta-data/public-hostname
curl: (6) Could not resolve host: 169.254.269.254; Name or service not known
[ec2-user@ip-10-0-46-112 notary]$ curl https://169.254.269.254/latest/meta-data/public-hostname
curl: (6) Could not resolve host: 169.254.269.254; Name or service not known
[ec2-user@ip-10-0-46-112 notary]$ curl http://169.254.169.254/latest/meta-data/public-hostname
ec2-54-210-13-240.compute-1.amazonaws.com[ec2-user@ip-10-0-46-112 notary]$
[ec2-user@ip-10-0-46-112 notary]$
[ec2-user@ip-10-0-46-112 notary]$ ll
total 116
drwxrwxr-x.  2 ec2-user ec2-user    66 Mar 25 21:48 buildscripts
drwxrwxr-x.  2 ec2-user ec2-user    41 Mar 25 21:48 certs
-rw-rw-r--.  1 ec2-user ec2-user  1758 Mar 25 21:48 CHANGELOG.md
-rw-rw-r--.  1 ec2-user ec2-user  2584 Mar 25 21:48 circle.yml
drwxrwxr-x.  3 ec2-user ec2-user  4096 Mar 25 21:48 client
drwxrwxr-x.  5 ec2-user ec2-user    59 Mar 25 21:48 cmd
-rw-rw-r--.  1 ec2-user ec2-user  2384 Mar 25 21:48 const.go
-rw-rw-r--.  1 ec2-user ec2-user  3944 Mar 25 21:48 CONTRIBUTING.md
-rw-rw-r--.  1 ec2-user ec2-user   243 Mar 25 21:48 CONTRIBUTORS
-rwxrwxr-x.  1 ec2-user ec2-user   429 Mar 25 21:48 coverpkg.sh
drwxrwxr-x.  2 ec2-user ec2-user  4096 Mar 25 21:48 cryptoservice
-rw-rw-r--.  1 ec2-user ec2-user   862 Mar 25 21:48 development.yml
-rw-rw-r--.  1 ec2-user ec2-user   844 Mar 25 21:48 docker-compose.yml
-rw-rw-r--.  1 ec2-user ec2-user  1162 Mar 25 21:48 Dockerfile
drwxrwxr-x.  5 ec2-user ec2-user  4096 Mar 25 21:48 docs
drwxrwxr-x.  3 ec2-user ec2-user  4096 Mar 25 21:48 fixtures
drwxrwxr-x.  2 ec2-user ec2-user    37 Mar 25 21:48 Godeps
-rw-rw-r--.  1 ec2-user ec2-user 11309 Mar 25 21:48 LICENSE
-rw-rw-r--.  1 ec2-user ec2-user  1340 Mar 25 21:48 MAINTAINERS
-rw-rw-r--.  1 ec2-user ec2-user  7163 Mar 25 21:48 Makefile
drwxrwxr-x.  4 ec2-user ec2-user    65 Mar 25 21:48 migrations
drwxrwxr-x.  2 ec2-user ec2-user    59 Mar 25 21:48 misc
drwxrwxr-x.  3 ec2-user ec2-user    39 Mar 25 21:48 notarymysql
-rw-rw-r--.  1 ec2-user ec2-user     4 Mar 25 21:48 NOTARY_VERSION
drwxrwxr-x.  2 ec2-user ec2-user    51 Mar 25 21:48 passphrase
drwxrwxr-x.  2 ec2-user ec2-user    44 Mar 25 21:48 proto
-rw-rw-r--.  1 ec2-user ec2-user  9290 Mar 25 21:48 README.md
-rw-rw-r--.  1 ec2-user ec2-user   418 Mar 25 21:48 ROADMAP.md
drwxrwxr-x.  7 ec2-user ec2-user  4096 Mar 25 21:48 server
-rw-rw-r--.  1 ec2-user ec2-user   757 Mar 25 21:48 server.Dockerfile
drwxrwxr-x.  6 ec2-user ec2-user    90 Mar 25 21:48 signer
-rw-rw-r--.  1 ec2-user ec2-user   848 Mar 25 21:48 signer.Dockerfile
drwxrwxr-x.  3 ec2-user ec2-user  4096 Mar 25 21:48 trustmanager
drwxrwxr-x. 10 ec2-user ec2-user  4096 Mar 25 21:48 tuf
drwxrwxr-x.  2 ec2-user ec2-user    90 Mar 25 21:48 utils
drwxrwxr-x.  6 ec2-user ec2-user    79 Mar 25 21:48 vendor
drwxrwxr-x.  2 ec2-user ec2-user    23 Mar 25 21:48 version
[ec2-user@ip-10-0-46-112 notary]$ cd ..
[ec2-user@ip-10-0-46-112 ~]$ openssl s_client -connect ec2-54-210-13-240.compute-1.amazonaws.com:443 -showcerts </dev/null 2>/dev/null | tee notary-ca.crt
[ec2-user@ip-10-0-46-112 ~]$ cat notary-ca.crt
[ec2-user@ip-10-0-46-112 ~]$ cd -
/home/ec2-user/notary
[ec2-user@ip-10-0-46-112 notary]$ docker-compose ps
       Name               Command               State                Ports
---------------------------------------------------------------------------------
notary_mysql_1       /docker-             Up                   0.0.0.0:3306->3306
                     entrypoint.sh mysq                        /tcp
                     ...
notary_server_1      /bin/bash -c         Up                   0.0.0.0:4443->4443
                     ./migrations/ ...                         /tcp, 0.0.0.0:3276
                                                               8->8080/tcp
notary_signer_1      /bin/bash -c         Up                   4444/tcp
                     ./migrations/ ...
[ec2-user@ip-10-0-46-112 notary]$ openssl s_client -connect ec2-54-210-13-240.compute-1.amazonaws.com:4443 -showcerts </dev/null 2>/dev/null | tee ../notary-ca.crt
CONNECTED(00000003)

---
Certificate chain
 0 s:/CN=notary-server/C=US/L=San Francisco/O=Docker/ST=CA
   i:/CN=Notary Testing CA/C=US/L=San Francisco/O=Docker/ST=CA
-----BEGIN CERTIFICATE-----
MIIFWzCCA0OgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBfMRowGAYDVQQDDBFOb3Rh
cnkgVGVzdGluZyBDQTELMAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNhbiBGcmFuY2lz
Y28xDzANBgNVBAoMBkRvY2tlcjELMAkGA1UECAwCQ0EwHhcNMTUwNzE2MDQyNTMy
WhcNMTYwNzE1MDQyNTMyWjBbMRYwFAYDVQQDDA1ub3Rhcnktc2VydmVyMQswCQYD
VQQGEwJVUzEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UECgwGRG9ja2Vy
MQswCQYDVQQIDAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjb
eflOtVrOv0IOeJGKfi5LHH3Di0O2nlZu8AITSJbDZPSXoYc+cprpoEWYncbFFC3C
94z5xBW5vcAqMhLs50ml5ADl86umcLl2C/mX8NuZnlIevMCb0mBiavDtSPV3J5Dq
Ok+trgKEXs9g4hyh5Onh5Y5InPO1lDJ+2cEtVGBMhhddfWRVlV9ZUWxPYVCTt6L0
bD9SeyXJVB0dnFhr3xICayhDlhlvcjXVOTUsewJLo/L2nq0ve93Jb2smKio27ZGE
79bCGqJK213/FNqfAlGUPkhYTfYJTcgjhS1plmtgN6KZF6RVXvOrCBMEDM2yZq1m
EPWjoT0tn0MkWErDANcCAwEAAaOCASQwggEgMIGIBgNVHSMEgYAwfoAUd7jyFwFw
CnRtRWVPFd5EDigTXqmhY6RhMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEW
MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UECgwGRG9ja2VyMRowGAYDVQQD
DBFOb3RhcnkgVGVzdGluZyBDQYIBATAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwNwYDVR0RBDAwLoIN
bm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVygglsb2NhbGhvc3SHBH8AAAEwHQYD
VR0OBBYEFBQcColyhey0o0RTLiiGAtaRhUIuMA0GCSqGSIb3DQEBCwUAA4ICAQAW
jf7f98t5y2C5mjd8om/vfgpJRmnyjFxJD8glCIacnwABAc2MgNoWRISWJnjwSf9W
kZ/tWGeHKdQ4Q7T3+Vu2d8nVpL+cGLZY4iddzxlNqWeaA7Sa7jQSLvOoYYxkb+w5
jUpukvqxGzCToW3dlOaV0qvOhXaOxPD6T8IWivnQdU53oU3kopfYiRjkREA1dIBv
Hwaa6fAjeK4KyBt7pzKScfHzU4X2gXajqc7Ox0NAb5YfIFOqySqcnYNflcZ+lDPd
XVMBdB4eRl1BbVTlonxxATWkhiv8GZUc9YD/bikbFzVYm3N5XRT7LCgyBgrmbH5k
PJUElTP2AsoSRLXUsPgCAhBM9QzHWsMiEh5wcpe61C3Afwv4MLtr7T0T99vp/BJt
OOJ7kJzYhp6P4FTi4uXuT4xcIJ/yTDZcLUTlJSWCuCKCM76yZteWEmlvWBHd9QiF
TDqKzjhrnt2FpPSBSm9Na+hAwsmZfRzQXelXai3aBx55HCIcGZ9o8oGsJaB7uDum
4+lFOhMiGaL2/pxhZcbCCjpLNv/9mCb67iPQV/E8xAY89wsXYpU+i/q1RGbraXLA
K3faVJu6R5taGe0heQr6VGZwF4L+bG64rtxUPqKDCF+Y9FpN4qUDl3vzmYGBTd5u
osKHqyciMmPCpgR7IQd1yYqH1cwlhQX/yTepX9gcrA==
-----END CERTIFICATE-----
 1 s:/CN=Notary Testing CA/C=US/L=San Francisco/O=Docker/ST=CA
   i:/C=US/ST=CA/L=San Francisco/O=Docker/CN=Notary Testing CA
-----BEGIN CERTIFICATE-----
MIIGMzCCBBugAwIBAgIBATANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
Y2tlcjEaMBgGA1UEAwwRTm90YXJ5IFRlc3RpbmcgQ0EwHhcNMTUwNzE2MDQyNTAz
WhcNMjUwNzEzMDQyNTAzWjBfMRowGAYDVQQDDBFOb3RhcnkgVGVzdGluZyBDQTEL
MAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
Y2tlcjELMAkGA1UECAwCQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCwVVD4pK7z7pXPpJbaZ1Hg5eRXIcaYtbFPCnN0iqy9HsVEGnEn5BPNSEsuP+m0
5N0qVV7DGb1SjiloLXD1qDDvhXWk+giS9ppqPHPLVPB4bvzsqwDYrtpbqkYvO0YK
0SL3kxPXUFdlkFfgu0xjlczm2PhWG3Jd8aAtspL/L+VfPA13JUaWxSLpui1In8rh
gAyQTK6Q4Of6GbJYTnAHb59UoLXSzB5AfqiUq6L7nEYYKoPflPbRAIWL/UBm0c+H
ocms706PYpmPS2RQv3iOGmnn9hEVp3P6jq7WAevbA4aYGx5EsbVtYABqJBbFWAuw
wTGRYmzn0Mj0eTMge9ztYB2/2sxdTe6uhmFgpUXngDqJI5O9N3zPfvlEImCky3HM
jJoL7g5smqX9o1P+ESLh0VZzhh7IDPzQTXpcPIS/6z0l22QGkK/1N1PaADaUHdLL
vSav3y2BaEmPvf2fkZj8yP5eYgi7Cw5ONhHLDYHFcl9Zm/ywmdxHJETz9nfgXnsW
HNxDqrkCVO46r/u6rSrUt6hr3oddJG8s8Jo06earw6XU3MzM+3giwkK0SSM3uRPq
4AscR1Tv+E31AuOAmjqYQoT29bMIxoSzeljj/YnedwjW45pWyc3JoHaibDwvW9Uo
GSZBVy4hrM/Fa7XCWv1WfHNW1gDwaLYwDnl5jFmRBvcfuQIDAQABo4H5MIH2MIGR
BgNVHSMEgYkwgYaAFHUM1U3E4WyL1nvFd+dPY8f4O2hZoWOkYTBfMQswCQYDVQQG
EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNV
BAoMBkRvY2tlcjEaMBgGA1UEAwwRTm90YXJ5IFRlc3RpbmcgQ0GCCQDCeDLbemIT
SzASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
BQcDATAOBgNVHQ8BAf8EBAMCAUYwHQYDVR0OBBYEFHe48hcBcAp0bUVlTxXeRA4o
E16pMA0GCSqGSIb3DQEBCwUAA4ICAQAWUtAPdUFpwRq+N1SzGUejSikeMGyPZscZ
JBUCmhZoFufgXGbLO5OpcRLaV3Xda0t/5PtdGMSEzczeoZHWknDtw+79OBittPPj
Sh1oFDuPo35R7eP624lUCch/InZCphTaLx9oDLGcaK3ailQ9wjBdKdlBl8KNKIZp
a13aP5rnSm2Jva+tXy/yi3BSds3dGD8ITKZyI/6AFHxGvObrDIBpo4FF/zcWXVDj
paOmxplRtM4Hitm+sXGvfqJe4x5DuOXOnPrT3dHvRT6vSZUoKobxMqmRTOcrOIPa
EeMpOobshORuRntMDYvvgO3D6p6iciDW2Vp9N6rdMdfOWEQN8JVWvB7IxRHk9qKJ
vYOWVbczAt0qpMvXF3PXLjZbUM0knOdUKIEbqP4YUbgdzx6RtgiiY930Aj6tAtce
0fpgNlvjMRpSBuWTlAfNNjG/YhndMz9uI68TMfFpR3PcgVIv30krw/9VzoLi2Dpe
ow6DrGO6oi+DhN78P4jY/O9UczZK2roZL1Oi5P0RIxf23UZC7x1DlcN3nBr4sYSv
rBx4cFTMNpwU+nzsIi4djcFDKmJdEOyjMnkP2v0Lwe7yvK08pZdEu+0zbrq17kue
XpXLc7K68QB15yxzGylU5rRwzmC/YsAVyE4eoGu8PxWxrERvHby4B8YP0vAfOraL
lKmXlK4dTg==
-----END CERTIFICATE-----

---
Server certificate
subject=/CN=notary-server/C=US/L=San Francisco/O=Docker/ST=CA
issuer=/CN=Notary Testing CA/C=US/L=San Francisco/O=Docker/ST=CA

---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits

---
SSL handshake has read 3575 bytes and written 375 bytes

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 12916366B0F9FBE226B2168AAB036EEA18BD81D81A59872323B7F9CAB75AB134
    Session-ID-ctx:
    Master-Key: E1CCFD3291799BA2AD57574714FF9C48232D821DAB8B15819E749EDC66CD9CD4994B8E5C8FE4B668098AFC47C8517D86
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 5c db a6 3c d8 c8 d3 5d-f2 55 2e fe 8e 0d dd 06   \..<...].U......
    0010 - 85 12 b6 69 e4 5e f1 7a-04 26 3d 08 26 fe 62 7e   ...i.^.z.&=.&.b~
    0020 - 36 d1 87 55 38 a3 9a fe-71 da 8b 66 92 86 d5 bc   6..U8...q..f....
    0030 - 2b c2 0f ff ab fa a2 d0-67 b5 f5 a5 c3 d2 6d d7   +.......g.....m.
    0040 - 77 ff 09 ad 22 ca 0e 4e-a1 e7 aa 7f 63 d4 c1 f4   w..."..N....c...
    0050 - d9 af 00 fd dc 83 9d 5a-ca 91 6c de 2c f6 d1 6d   .......Z..l.,..m
    0060 - 15 8b 43 b7 ca f5 92 f6-ae fa 61 70 b0 46 12 00   ..C.......ap.F..
    0070 - 6d 7c bc d9 4c 1d e3 71-                          m|..L..q
    Start Time: 1458958164
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

---
[ec2-user@ip-10-0-46-112 notary]$
[ec2-user@ip-10-0-46-112 notary]$ cd
[ec2-user@ip-10-0-46-112 ~]$ docker login ec2-54-174-154-122.compute-1.amazonaws.com
Username (admin): admin
Password:
WARNING: login credentials saved in /home/ec2-user/.docker/config.json
Login Succeeded
[ec2-user@ip-10-0-46-112 ~]$
[ec2-user@ip-10-0-46-112 ~]$ docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
fdd5d7827f33: Already exists
a3ed95caeb02: Pull complete
716f7a5f3082: Pull complete
7b10f03a0309: Pull complete
Digest: sha256:f6a001272d5d324c4c9f3f183e1b69e9e0ff12debeb7a092730d638c33e0de3e
Status: Downloaded newer image for nginx:latest
[ec2-user@ip-10-0-46-112 ~]$ docker tag !$ ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx:v0.1.18-signed
docker tag nginx ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx:v0.1.18-signed
[ec2-user@ip-10-0-46-112 ~]$ export DOCKER_CONTENT_TRUST=1
[ec2-user@ip-10-0-46-112 ~]$ docker push ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx:v0.1.18-signed
The push refers to a repository [ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx]
5f70bf18a086: Pushed
3f3324023e75: Pushed
f0d7d68f89e5: Pushed
917c0fc99b35: Pushed
v0.1.18-signed: digest: sha256:9a8aaa97409904b2d29ab9963c5ced35113935bf15fd1eb327ae5a17ea14927b size: 5676
Signing and pushing trust metadata
ERRO[0015] Could not publish Repository: x509: certificate signed by unknown authority
x509: certificate signed by unknown authority
[ec2-user@ip-10-0-46-112 ~]$ DTR_HOST=ec2-54-174-154-122.compute-1.amazonaws.com
[ec2-user@ip-10-0-46-112 ~]$ mkdir -p ~/.docker/tls/$DTR_HOST ; openssl s_client -showcerts -connect $DTR_HOST:443 2>/dev/null < /dev/null | openssl x509 -outform PEM 2>/dev/null > ~/.docker/tls/$DTR_HOST/ca.crt
[ec2-user@ip-10-0-46-112 ~]$ echo $DTR_HOST
ec2-54-174-154-122.compute-1.amazonaws.com
[ec2-user@ip-10-0-46-112 ~]$ cat ~/.docker/tls/\$DTR_HOST/ca.crt
cat: /home/ec2-user/.docker/tls/$DTR_HOST/ca.crt: No such file or directory
[ec2-user@ip-10-0-46-112 ~]$ cat ~/.docker/tls/$DTR_HOST/ca.crt
-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIRAIVlXlA/NSNOVeRlgocaf3UwDQYJKoZIhvcNAQELBQAw
fDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UECxMGRG9ja2Vy
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMTMwMQYDVQQDEyplYzItNTQtMTc0LTE1
NC0xMjIuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcNMTYwMjE4MTYxNTU1WhcN
MTcwMjE3MTYxNTU1WjB8MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGRG9ja2VyMQ8w
DQYDVQQLEwZEb2NrZXIxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xMzAxBgNVBAMT
KmVjMi01NC0xNzQtMTU0LTEyMi5jb21wdXRlLTEuYW1hem9uYXdzLmNvbTCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALODfigAGpqKqYOhqgCWaYXJuyUz
b0qwkdC7gQgXb4vCb/wQ87u65TWs7XgSwvRX+66A95XbSDfQ9AoMbjWYGHxwV9nK
Z2YUI45lXavEsZrqejwsKj+jhw6mFyLC5kg/vIzKojV9gFOkiyndwZsBd2OMorSB
M0IqivOej2rgAEmQC4rvId1zyIHi3llWJEY2EBMgCQQcBeNUF0zXxpXLrDeCAJ6n
+3vA/B2zATC/6nTbaC5uYznoNAiz/HY6SEPxF/BAENhhnp53jAN0kyi5WCMYBfMT
acQVtotsEjkZUA7a7V5CNolg1/U5wMDPWSRHJ7zvmkbRGUon/dHvw7LvwEWnUzoY
PzZpW2/OAxFx/zwVFPdi0NzP47IkbKcoYccyGrDmvQsF7V5tGJP03wOyTzFsVQdt
/RqDmFWHn/NRYfPXLjvZe1O9flMfpoDD9or7717UHIJfiIaNv1Qs0DDAwYkU9iA5
xyFriQmHNjUOZ6Ee4B9Ey7kDR/C+MfQ+r8y0jBTdeXxq5A/M5p7cC1MpB5jeH/lM
eDf+CxHzszvdP7eUulAbLfiOxIiwPFaLkbyR/SkYCNCilAtgqBLwUVcO4XWQ6hZ1
h78QUfsSJgrMHPGJzlyVESHHOVDF6g2tN7hEQGCWHuLhE8BTyxUy4h9UFaJQVDpz
ordcIUvRLkruVDN/AgMBAAGjYzBhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQAfYWckSpCY8xiyYHP+o2Q+6ODSjAfBgNVHSMEGDAW
gBQAfYWckSpCY8xiyYHP+o2Q+6ODSjANBgkqhkiG9w0BAQsFAAOCAgEAhTwlvoK0
9lXNycLzJzpFCf3APMkWR6m5s+WWrPagO8pqzsJVxvXYTINZWNk7M2pLnIdFkJDJ
gdiaxW/EJHt2idk78Nn0Wky6C1PTwFUrGY0VnlVbOPOEUghF+2mUsOGkYvRCP6eY
xXZDsgoYz3QkmJP85tTfz2qG3bNCAjOQF88SOVM4urGeLNy2naqOk/tFQcDUp3t7
g2Ls6sYtpvuS3tit4HwHlU/k2t9YWkufFeYhUcWSSVw8SLuTO9ulysPrTS1Y6WTu
N26Wl/1SFzbueZB1523ybrunIqVhlm4ytTUeWAPSiq+RvGp07ixfvTo7LfPXqVvI
S/VrySE+Hl3caTcUXJ7istq6xBmtpPadStJ4RGBND0+8sXNDnUT9cTfGFqD3zVmL
903Td0cbXpaCOh3e/0Edj1LVxQvHYHcwvmhdejA2K0S56+Zf6nmPhjQeVzve2sib
IKotvRV3K4MLuZgxTzAzayt9m5T9K6D3ttw4BAs9TigoaTgMe1YDMyvz2AeYYorj
6iYs3s66fny2Av/9GDabxq3YUCFkrUBUX/t1/l/KgohvGLEo7Xh0izdtPKEHr1UN
ThqChJ3l3aCv8Jt6AT5oJdrny8LGGnACI9FpVc+KIujeFydt9f6UqVoWEKPB4WA+
eMG1NTSCGgehtE4jQujr/q2ouWfPwR/UGyU=
-----END CERTIFICATE-----
[ec2-user@ip-10-0-46-112 ~]$ docker push ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx:v0.1.18-signed
The push refers to a repository [ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx]
5f70bf18a086: Layer already exists
3f3324023e75: Layer already exists
f0d7d68f89e5: Layer already exists
917c0fc99b35: Layer already exists
v0.1.18-signed: digest: sha256:9a8aaa97409904b2d29ab9963c5ced35113935bf15fd1eb327ae5a17ea14927b size: 5676
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID dd15906:
Repeat passphrase for new root key with ID dd15906:
Enter passphrase for new repository key with ID af097fe (ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx):
Repeat passphrase for new repository key with ID af097fe (ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx):
Finished initializing "ec2-54-174-154-122.compute-1.amazonaws.com/enterprise-apps/nginx"
[ec2-user@ip-10-0-46-112 ~]$