unable to Login to Private Docker registry

[mahesh3267]

Hi All,

Myself having trouble to login to our private docker registry, find the following error and suggest .

Error response from daemon: invalid registry endpoint https://private-registry/v0/: unable to ping registry endpoint https://private-registry/v0/
v2 ping attempt failed with error: Get https://private-registry/v2/: dial tcp xx.xx.xx.xx:443: connection refused
 v1 ping attempt failed with error: Get https://private-registry/v1/_ping: dial tcp xx.xx.xx.xx:443: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry private-registry` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/private-registry/ca.crt

Tried adding --insecure-registry to /etc/default/docker file, looks like there is no impact on issue.

# Docker Upstart and SysVinit configuration file

# Customize location of Docker binary (especially for development testing).
#DOCKER="/usr/local/bin/docker"

# Use DOCKER_OPTS to modify the daemon startup options.
#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
DOCKER_OPTS="-H=unix:///var/run/docker.sock -H 0.0.0.0:2379"
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=private-registry"

# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"

# This is also a handy place to tweak where Docker's temporary files go.
#export TMPDIR="/mnt/bigdrive/docker-tmp"

Kindly suggest.

[dmp42]

dial tcp 10.146.3.120:443: connection refused. tells you your registry is not runninng at that ip.

[olibob]

Hi,

I have the same issue.

Conditions:

• myreg.net as registry domain
• 2 VMS to test (registry VM and standard user VM)
• self signed certificate as indicated here.
• certificate copied to /etc/docker/certs.d/myreg.net:5000/ca.crt on both VMs
• docker daemon restarted

command used

docker run -d -p 5000:5000 --restart=always --name registry -v /root/certs:/certs -v /reg:/var/lib/registry -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2

push/pull works

Add authentication as indicated in Basic native auth

When trying to log on with docker login myreg.net:5000, I got some TLS handshake errors. So I trusted the certificate as indicated here

TLS handshake errors are gone. A curl works as well:

[root@reg02 anchors]# curl -v https://myreg.net:5000/v2/_catalog
* About to connect() to myreg.net port 5000 (#0)
*   Trying 192.168.60.11...
* Connected to myreg.net (192.168.60.11) port 5000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
*       subject: CN=myreg.net,O=Agile Partner,L=Luxembourg,ST=Luxembourg,C=LU
*       start date: Aug 17 12:34:01 2015 GMT
*       expire date: Aug 16 12:34:01 2016 GMT
*       common name: myreg.net
*       issuer: CN=myreg.net,O=Agile Partner,L=Luxembourg,ST=Luxembourg,C=LU
> GET /v2/_catalog HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myreg.net:5000
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< Date: Mon, 17 Aug 2015 14:28:58 GMT
< Content-Length: 46
<
{"repositories":["busybox","httpd","ubuntu"]}
* Connection #0 to host myreg.net left intact

I still can push/pull without being logged in.

command used

docker run -d -p 5000:5000 --restart=always --name registry -v /root/certs:/certs -v /root/auth:/auth -v /reg:/var/lib/registry -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2

On the "client"

[root@reg02 anchors]# docker login https://myreg.net:5000
Username: testuser
Password:
Email: mymail@gmail.com
Error response from daemon: no successful auth challenge for https://myreg.net:5000/v2/ - errors: []

Logs on the registry

time="2015-08-17T14:41:21Z" level=info msg="response completed" http.request.host="myreg.net:5000" http.request.id=3914780f-6c01-44ff-a710-b0313808380e http.request.method=GET http.request.remoteaddr="192.168.60.12:49459" http.request.uri="/v2/" http.request.useragent="docker/1.8.1 go/go1.4.2 git-commit/d12ea79 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=1.962546ms http.response.status=200 http.response.written=2 instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
192.168.60.12 - - [17/Aug/2015:14:41:21 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "docker/1.8.1 go/go1.4.2 git-commit/d12ea79 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"

It's as if the basic authentication is not active at all.

Here is the begining of the registry logs

time="2015-08-17T14:26:56Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in t
he configuration file or set the REGISTRY_HTTP_SECRET environment variable." instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
time="2015-08-17T14:26:56Z" level=info msg="redis not configured" instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
time="2015-08-17T14:26:56Z" level=info msg="using inmemory blob descriptor cache" instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
time="2015-08-17T14:26:56Z" level=info msg="Starting upload purge in 55m0s" instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
time="2015-08-17T14:26:57Z" level=info msg="listening on [::]:5000, tls" instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
time="2015-08-17T14:27:05Z" level=info msg="response completed" http.request.host="myreg.net:5000" http.request.id=0dff0ae8-cc12-4a79-9317-bdc59caf8268 http.request.method=GET http.request.remoteaddr="192.168.60.1:60053" http.request.uri=
"/v2/_catalog" http.request.useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36" http.response.contenttype="application/json; charset=utf-8" http.response.du
ration=2.614145ms http.response.status=200 http.response.written=46 instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
192.168.60.1 - - [17/Aug/2015:14:27:05 +0000] "GET /v2/_catalog HTTP/1.1" 200 46 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36"
192.168.60.1 - - [17/Aug/2015:14:27:06 +0000] "GET /favicon.ico HTTP/1.1" 404 19 "https://myreg.net:5000/v2/_catalog" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.
36"
time="2015-08-17T14:27:43Z" level=info msg="response completed" http.request.host="myreg.net:5000" http.request.id=2042909c-d692-4fd8-9132-a7abe675f75d http.request.method=GET http.request.remoteaddr="192.168.60.12:49452" http.request.uri
="/v2/" http.request.useragent="docker/1.8.1 go/go1.4.2 git-commit/d12ea79 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=1.848427ms http.response.
status=200 http.response.written=2 instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
192.168.60.12 - - [17/Aug/2015:14:27:43 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "docker/1.8.1 go/go1.4.2 git-commit/d12ea79 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
time="2015-08-17T14:28:01Z" level=info msg="response completed" http.request.host="myreg.net:5000" http.request.id=8ed7927f-c741-4008-8c1b-9eec9bfa2a7e http.request.method=GET http.request.remoteaddr="192.168.60.12:49453" http.request.uri
="/v2/" http.request.useragent="docker/1.8.1 go/go1.4.2 git-commit/d12ea79 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=2.055284ms http.response.
status=200 http.response.written=2 instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
192.168.60.12 - - [17/Aug/2015:14:28:01 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "docker/1.8.1 go/go1.4.2 git-commit/d12ea79 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
time="2015-08-17T14:28:01Z" level=info msg="response completed" http.request.host="myreg.net:5000" http.request.id=0a97f37a-62ee-4fb6-9601-96084c1cd130 http.request.method=GET http.request.remoteaddr="192.168.60.12:49454" http.request.uri
="/v2/busybox/manifests/latest" http.request.useragent="docker/1.8.1 go/go1.4.2 git-commit/d12ea79 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=5
.141901ms http.response.status=200 http.response.written=5697 instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b145cd9afd version=v2.1.1
192.168.60.12 - - [17/Aug/2015:14:28:01 +0000] "GET /v2/busybox/manifests/latest HTTP/1.1" 200 5697 "" "docker/1.8.1 go/go1.4.2 git-commit/d12ea79 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
time="2015-08-17T14:28:58Z" level=info msg="response completed" http.request.host="myreg.net:5000" http.request.id=5f7ab413-e908-430c-8123-525a374b5118 http.request.method=GET http.request.remoteaddr="192.168.60.12:49455" http.request.uri
="/v2/_catalog" http.request.useragent="curl/7.29.0" http.response.contenttype="application/json; charset=utf-8" http.response.duration=3.295505ms http.response.status=200 http.response.written=46 instance.id=c5bc7d6b-1f0c-4cc3-9612-d3b14
5cd9afd version=v2.1.1
192.168.60.12 - - [17/Aug/2015:14:28:58 +0000] "GET /v2/_catalog HTTP/1.1" 200 46 "" "curl/7.29.0"

[dmp42]

@olibob

1. you don't have the same issue as the O.P. Usually and when in doubt, better to open a new issue.
2. this github repo here is about the old registry, marked as deprecated. You will usually get answers on https://github.com/docker/distribution
3. for basic auth to be enabled, you are missing an env variable: -e "REGISTRY_AUTH=htpasswd" (see https://github.com/docker/distribution/blob/master/docs/deploying.md#native-basic-auth )

4.TLS error on login, if you still experience it (docker 1.6?), see at the bottom here: https://github.com/docker/distribution/blob/master/docs/nginx.md#docker-still-complains-about-the-certificate

Let me know if that helps.

[dmp42]

@mahesh3267 closing this for bookkeeping. Let me know if you still have issues.

[olibob]

@dmp42

Noted: https://github.com/docker/distribution Adding the missing environment variable fixed the issue.

Thank you for your time and help.

[dmp42]

Welcome @olibob Happy you got it working.

[xuedihualu]

@olibob： hi I have the same problem,How do you solve the problem? this is my logs: time="2015-10-12T09:48:34Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." instance.id=738e2633-246e-4d53-8ed4-24addef562ee version=v2.1.

[dmp42]

@xuedihualu please read the comments. This here is not the place to report registry:2 issues.

Please also start by following the documentation step by step: https://github.com/docker/distribution/blob/master/docs/deploying.md

If you still have issues doing so, open a new ticket on https://github.com/docker/distribution