51927

docker login behind proxy on private registry gives TLS handshake timeout

Question:

We have a private docker registry at work (based on portus, but whatever) and I try to push an image to this registry but it doesn't work. It fails with the following error message:

$ sudo docker login archive.docker-registry.mycompany.com Username: mylogin Password: Error response from daemon: Get https://archive.docker-registry.mycompany.com/v1/users/: net/http: TLS handshake timeout $

I already configured the proxy in /etc/systemd/system/docker.service.d/http-proxy.conf (my docker is on centos 7):

[Service] Environment="HTTP_PROXY=http://proxy.mycompany.com:8000/" "NO_PROXY=localhost,127.0.0.1,archive.docker-registry.mycompany.com"

but it still fails.

I tried to use HTTPS_PROXY instead of HTTP_PROXY using either http or https in url, I tried to download certificate manually and configure them in system (update-ca-certs) but it keeps failing.

When I changed this configuration file, as root, I executed:

# systemctl daemon-reload # systemctl restart docker

Answer1:

actually, I found that if I comment out the full Environment line it works for the private registry but not for docker hub anymore (of course, no more proxy). And here is the final solution that works for both private registry and docker hub public registry:

In the NO_PROXY environment variable, only the domain name should be used, not the FQDN (including "archive." hostname prefix):

Here is my config file now:

[Service] Environment="HTTP_PROXY=http://proxy.mycompany.com:8000/" "NO_PROXY=localhost,127.0.0.1,docker-registry.mycompany.com"

Note that there is no more "archive." nor "portus." prefix in NO_PROXY anymore, just the domain name starting from "docker-registry".

As I saw the docker login command line including "archive." prefix, it was misleading and I thought it had to be in the NO_PROXY environment variable... but no, it should not.

Hope it helps someone. I wish I found the answer on google before, but I didn't so I'm just posting it here, it might help someone.

Answer2:

If you are using a private registry, you need to place the certificate for that under /etc/docker/certs.d/<strong><em>registryname</em></strong>/ca.crt

<strong>registryname</strong> will change accordingly

Also, please change your <strong>MTU</strong> size to 1300, this was also one thing I did to resolve the error. Registry one I believe you might have already done. Command for MTU change

ip link set dev eth0 mtu 1300

MTU size is important to check

Answer3:

The latest stable version I installed (18.xx) had this issue and after downgrading to 17.12.0-ce, it works fine for me.

Recommend

  • Setting proxy server for connections in Knox
  • SharePoint::SOAPHandler perl script works for display not copy
  • Python requests library: looping requests.get()
  • how to update a GAE app with GCLOUD via socks5 proxy
  • Using Ansible to stop service that might not exist
  • ansible json filter list
  • using an http proxy to heroku login
  • Nodejs Passport Oauth2 Proxy
  • Jenkins not able to access java : localhost jenkins[807]: Starting Jenkins bash: /usr/bin/java: Perm
  • How to shutdown Linux using C++ or Qt without call to “system()”?
  • Can't install Docker on CentOS 7 running on Vagrant
  • Is there a way to stop Erlang servers from automatically starting epmd?
  • Running conda with proxy
  • Can't install Docker on CentOS 7 running on Vagrant
  • Mongodb not able to start in Ubuntu 15.04
  • Check-mk installation. Failed dependencies (Mariadb, Python-reportlab, libgsf)
  • how to permanently set environment variable for boot2docker
  • Newer kernel for Edison available?
  • PHPUnit picking up on syslog messages?
  • Getting socket.io namespace from anywhere in the project
  • Creating new docker-machine instance always fails validating certs using openstack driver
  • Issue when joining serf nodes located in different Docker containers
  • Getting zero results in search using elastic4s
  • Setting src to Base64-encoded image with Javascript is failing
  • NSMutableArray instance used in a block
  • XOR with Neural Networks (Matlab)
  • pymongo replication secondary readreference not work
  • CORS with socket.io
  • mave 3.2 not able to access local nexus instance return 502 code
  • How to skip require in ruby?
  • Saving image to sd with current date and time in name doesn't work
  • Tomcat memory Leak
  • Yii2: Config params vs. const/define
  • Cannot resolve symbol 'MyApi'
  • Timeout for blocking function call, i.e., how to stop waiting for user input after X seconds?
  • 0x202A in filename: Why?
  • how to add data labels for bar graph in matlab
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • Proper folder structure for lots of source files
  • How does Linux kernel interrupt the application?