distribution: Private registry push fail: server gave HTTP response to HTTPS client

My private registry worked well based on docker 1.10.3, but it can’t pull/push images after docker updated to 1.12.0.

I had modified the /etc/sysconfig/docker as: OPTIONS='--selinux-enabled=true --insecure-registry=myip:5000' or OPTIONS='--selinux-enabled=true --insecure-registry myip:5000' but when I exec pull/push,I got this error: $ docker pull myip:5000/cadvisor Using default tag: latest Error response from daemon: Get https://myip:5000/v1/_ping: http: server gave HTTP response to HTTPS client when I change back docker to 1.10.3, it still work well as below: $ docker pull myip:5000/cadvisor Using default tag: latest Trying to pull repository myip:5000/cadvisor ... latest: Pulling from myip:5000/cadvisor 09d0220f4043: Pull complete a3ed95caeb02: Pull complete 151807d34af9: Pull complete 14cd28dce332: Pull complete Digest: sha256:33b6475cd5b7646b3748097af1224de3eee3ba7cf5105524d95c0cf135f59b47 Status: Downloaded newer image for myip:5000/cadvisor:latest

As suggested by RichardScothern, some relative informations are listed below: docker version Client: Version: 1.12.0 API version: 1.24 Go version: go1.6.3 Git commit: 8eab29e Built:
OS/Arch: linux/amd64

Server: Version: 1.12.0 API version: 1.24 Go version: go1.6.3 Git commit: 8eab29e Built:
OS/Arch: linux/amd64

docker info Containers: 4 Running: 1 Paused: 0 Stopped: 3 Images: 241 Server Version: 1.12.0 Storage Driver: devicemapper Pool Name: docker-253:0-6809-pool Pool Blocksize: 65.54 kB Base Device Size: 107.4 GB Backing Filesystem: xfs Data file: /dev/loop0 Metadata file: /dev/loop1 Data Space Used: 5.459 GB Data Space Total: 107.4 GB Data Space Available: 34.74 GB Metadata Space Used: 9.912 MB Metadata Space Total: 2.147 GB Metadata Space Available: 2.138 GB Thin Pool Minimum Free Space: 10.74 GB Udev Sync Supported: true Deferred Removal Enabled: false Deferred Deletion Enabled: false Deferred Deleted Device Count: 0 Data loop file: /var/lib/docker/devicemapper/devicemapper/data WARNING: Usage of loopback devices is strongly discouraged for production use. Use '--storage-opt dm.thinpooldev' to specify a custom block storage device. Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata Library Version: 1.02.107-RHEL7 (2016-06-09) Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: host overlay null bridge Swarm: inactive Runtimes: runc Default Runtime: runc Security Options: seccomp Kernel Version: 3.10.0-229.el7.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 24 Total Memory: 62.39 GiB Name: server_3 ID: TITS:BL4B:M5FE:CIRO:5SW6:TVIV:HW36:J7OS:WLHF:46T6:2RBA:WCNV Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): true File Descriptors: 21 Goroutines: 32 System Time: 2016-08-02T10:33:06.414048675+08:00 EventsListeners: 0 Registry: https://index.docker.io/v1/ WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled Insecure Registries: 127.0.0.0/8

docker exec <registry-container> registry -version registry github.com/docker/distribution v2.2.1

After I restart the docker daemon in debug mode, the daemon logs when reproducing my problem are listed below: DEBU[0794] Calling POST /v1.24/images/create?fromImage=10.10.10.40%3A5000%2Fcadvisor&tag=latest DEBU[0794] hostDir: /etc/docker/certs.d/10.10.10.40:5000 DEBU[0794] hostDir: /etc/docker/certs.d/10.10.10.40:5000 DEBU[0794] Trying to pull 10.10.10.40:5000/cadvisor from https://10.10.10.40:5000 v2 WARN[0794] Error getting v2 registry: Get https://10.10.10.40:5000/v2/: http: server gave HTTP response to HTTPS client ERRO[0794] Attempting next endpoint for pull after error: Get https://10.10.10.40:5000/v2/: http: server gave HTTP response to HTTPS client DEBU[0794] Trying to pull 10.10.10.40:5000/cadvisor from https://10.10.10.40:5000 v1 DEBU[0794] hostDir: /etc/docker/certs.d/10.10.10.40:5000 DEBU[0794] attempting v1 ping for registry endpoint https://10.10.10.40:5000/v1/ DEBU[0794] Fallback from error: Get https://10.10.10.40:5000/v1/_ping: http: server gave HTTP response to HTTPS client ERRO[0794] Attempting next endpoint for pull after error: Get https://10.10.10.40:5000/v1/_ping: http: server gave HTTP response to HTTPS client ERRO[0794] Handler for POST /v1.24/images/create returned error: Get https://10.10.10.40:5000/v1/_ping: http: server gave HTTP response to HTTPS client DEBU[1201] clean 2 unused exec commands

What’s more, I just run a simple command to launch the private registry for test, anything else is by default: docker run -d -p 5000:5000 --restart=always --name registry -v 'pwd'/data:/var/lib/registry registry:2 Neither nginx nor proxy is configured. In summary, it is only a quiet sample environment for test.

Hope you guys giving me some suggestions ,thank you!

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 36
  • Comments: 50 (3 by maintainers)

Most upvoted comments

I get helped from [http://stackoverflow.com/questions/38695515/can-not-pull-push-images-after-update-docker-to-1-12], two steps in total to solve this issue:

  1. Create or modify /etc/docker/daemon.json { "insecure-registries":["myregistry.example.com:5000"] }
  2. Restart docker daemon sudo service docker restart

I agree with @dmcgowan

The–insecure-registry=myip:5000 flag is not getting set on the daemon

but I have no idea about why it only occurred under docker version 1.12. I will keep this issue open in next three days, any comments are welcome.

+752
yuqian0218 on Aug 3, 2016

I’d like to clarify that you should add the { "insecure-registries":["myregistry.example.com:5000"] } to /etc/docker/daemon.json in the client machine.

+41
ghost on Dec 18, 2017

Same problem here but with Docker for Mac Version 1.12.1-beta26.1 (build: 12100). Solved adding the insecure registry in Docker Mac App preferences. Why this issue is closed?

+30
daniloascione on Sep 20, 2016

For Centos 7 and Docker version _17.03.1-ce, build c6d412e_ , just modify ’ /usr/lib/systemd/system/docker.service’, as @saavkaar indicated:

vi /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd --insecure-registry 192.168.127.1:5000

And now reset docker:

systemctl daemon-reload service docker restart

Where 192.168.127.1:5000 if the ‘IP:port’ of the master node where the registry image is running. Apply this modification and the restart in the master node and also in the slaves.

Now start the registry image in the master node: docker run -d -p 5000:5000 --restart=always --name registry -v LOCAL_PATH:/var/lib/registry registry:2

Where LOCAL_PATH is a existent directory in your master node.

Push an image intto your registry before you can pull.

In the master node: docker push 192.168.127.1:5000:/YOUR_IMAGE

Where YOUR_IMAGE is the name of the image that you want distribute.

Now you can pull

In the slaves nodes: docker pull 192.168.127.1:5000/:YOUR_IMAGE

+23
rmorales-iaa on Apr 12, 2017

For Mac users, it seems like they added the ability to configure insecure registries in the GUI, via Preferences > Daemon > Insecure registries.

+17
FlorisE on May 28, 2018

Try adding --insecure-registry option to daemon in /etc/systemd/system/docker.service.d/docker.conf file. Then sudo systemctl daemon-reload And sudo service docker restart

It worked for me

OS: Ubuntu 16.04 Docker: 1.26

+14
saavkaar on Mar 16, 2017

For Docker version 18.09.2, I followed https://success.docker.com/article/using-systemd-to-control-the-docker-daemon

  1. sudo systemctl edit docker
  2. add below lines

[Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry registry:5000

  1. sudo systemctl daemon-reload
  2. systemctl restart docker
  3. systemctl status docker
+13
santhoshkumarhirekerur on Feb 28, 2019

With Docker For Mac, the registries setting doesn’t seems to be very sticky. I originally added my registry as https:// and got this error. I changed the address to http and restarted Docker, but the error persisted.

After removing the setting altogether, restarting Docker, then adding the setting back and restarting again it stuck and started working. YMMV.

+13
orlade on Nov 7, 2016

For Docker version 19.03.1 on a Windows 10 machine, this is how I resolved it:

I opened up docker’s settings in the gui: image

Clicked on the Daemon section, click on the toggle button Basic to enable Advance mode: image

Enter in your config. 😃 image

+5
KeaganFouche on Aug 27, 2019

@wudiapo135, I did the same per your comments, but still got the same error: Private registry push fail: server gave HTTP response to HTTPS client

My docker version: Docker version 1.12.2, build bb80604

+5
raof01 on Oct 25, 2016

If you are using Docker for Windows with linux containers, the ‘insecure-registries’ setting is here: C:\Program Files\Docker\Docker\resources\linux-daemon-options.json

I’m using Docker for Windows, but I’m not actually using the ‘for Windows’ part. Instead I followed the ‘hyperv’ instructions.

  1. Install docker for windows but uncheck the ‘start at login’ box. Instead, follow the instructions for creating a docker machine using hyperv - https://docs.docker.com/machine/drivers/hyper-v/ . I called mine ‘dockervm’. I also created a virtual switch that is bridged so it has a real (external) IP.

  2. Create a scheduled task to run at startup ‘C:\Program Files\Docker\Docker\resources\bin\docker-machine start dockervm’. Make sure to not use double quotes as there is a bug in the windows 10 task scheduler.

  3. After step 1 your docker machine is running, use ‘docker-machine env dockervm’ to get the environment, and set it in your global environment settings.

  4. After a reboot, your dockervm should be running, and docker ps -a should return results.

  5. Run the registry locally: docker run -d -p 5000:5000 --name registry registry:2

  6. Open ‘Hyper-V Manager’ and select ‘dockervm’ (it should be running). Click ‘Connect…’ under dockervm on the right to open a shell. You should now be at a root shell prompt in your dockervm

  7. From the root shell prompt, cd to /var/lib/boot2docker

  8. vi profile

Add a new line to this part with your registry (my vm’s IP is 192.168.1.24)

EXTRA_ARGS=’ –label provider=hyperv –insecure-registry=192.168.1.24:5000 ’ 8. Restart the dockervm machine in hyperv manager

You should now be able to push to the registry

+4
zenakuten on Oct 22, 2017

I had the same problem as here, but with Docker on Windows. Turns out that the file at C:\ProgramData\docker\config\daemon.json isn’t the only source of config here; if I right-click the docker icon in the taskbar and choose Settings…->Daemon and enable advanced config editing, I get a different set of settings.

Adding the insecure registry there, not in the daemon.json file on disk, seems to have solved my problem.

+3
tomasaschan on Aug 6, 2017

Only this worked for me in /etc/docker/daemon.json file : { “insecure-registries” : [“127.0.0.0/8”, “myregistrydomain.com:5000”] }

Execute these commands afterwards : sudo systemctl daemon-reload sudo systemctl restart docker docker info

In the output of “docker info” look for : Insecure Registries: myregistrydomain.com:5000 127.0.0.0/8

Try it out now …

+2
sharpaw on May 7, 2020

If someone with GitLab CI docker:dind as a service comes here (as I did), here’s the answer you’re looking for: https://stackoverflow.com/a/50133074 .

+2
theoden-dd on Apr 21, 2020

For future people who had my problem: If you installed docker using snap (run snap services to check if docker.dockerd is listed), you will need to add the insecure-registries entry to /var/snap/docker/current/config/daemon.json, not the default config location.

+2
nayrangnu on Jan 16, 2019

Solution : If you want to pull/push image on particular host let say 10.20.30.120 from private registry that you hosted on another node then

1.go to /etc/hosts of your host and gave same domain name to this ip 10.20.30.120 like - 10.20.30.120 myregistry.local.com

2.go to /etc/docker/daemon.json of you hosts note: if daemon.json not present, create it inside /etc/docker/

3.open daemon.json and write following lines - { “insecure-registries”: [“myregistry.local.com:5000”] }

4.Restart docker service docker stop service docker start

5.try to pull image using for eg : docker pull “myregistry.local.com:5000/username/imagename” that’s it!

+1
lalitlsg on Apr 3, 2020

I already config the “–insecure-registry localhost:5000” in /etc/sysconfig/docker and “systemctl restart docker”. See below:

[root@dhcp-140-36 ~]# docker info
Containers: 5
 Running: 0
 Paused: 0
 Stopped: 5
Images: 40
Server Version: 1.13.1
...
Insecure Registries:
 localhost:5000
 127.0.0.0/8
...

But, still got errors: Unable to connect to the server: http: server gave HTTP response to HTTPS client. Anyone know how to solve it? Thanks!

[root@dhcp-140-36 db-731491371]# oc adm catalog build --appregistry-org=jiazha --to=localhost:5000/jiazha/catalog:v1 --loglevel=8
...
INFO[0003] directory                                     dir=/tmp/manifests-314255191 file=learn-operator load=package
I1125 16:15:48.553395   11938 builder.go:105] database written /tmp/db-251746264/bundles.db
I1125 16:15:48.566404   11938 builder.go:115] built db layer /tmp/archive-942757578/layer.tar.gz
I1125 16:15:48.566462   11938 config.go:137] looking for config.json at /root/.docker/config.json
I1125 16:15:48.566694   11938 config.go:145] found valid config.json at /root/.docker/config.json
I1125 16:15:48.566743   11938 round_trippers.go:420] GET https://localhost:5000/v2/
I1125 16:15:48.566753   11938 round_trippers.go:427] Request Headers:
I1125 16:15:48.567916   11938 round_trippers.go:446] Response Status:  in 1 milliseconds
I1125 16:15:48.567929   11938 round_trippers.go:449] Response Headers:
I1125 16:15:48.567952   11938 helpers.go:217] Connection error: Get https://localhost:5000/v2/: http: server gave HTTP response to HTTPS client
F1125 16:15:48.567961   11938 helpers.go:114] Unable to connect to the server: http: server gave HTTP response to HTTPS client

[root@dhcp-140-36 ~]# docker run -it --rm -p 5000:5000 registry
WARN[0000] No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable.  go.version=go1.11.2 instance.id=871badf0-b4d3-44fe-aca3-300b969ede4f service=registry version=v2.7.1
INFO[0000] redis not configured                          go.version=go1.11.2 instance.id=871badf0-b4d3-44fe-aca3-300b969ede4f service=registry version=v2.7.1
INFO[0000] Starting upload purge in 1m0s                 go.version=go1.11.2 instance.id=871badf0-b4d3-44fe-aca3-300b969ede4f service=registry version=v2.7.1
INFO[0000] using inmemory blob descriptor cache          go.version=go1.11.2 instance.id=871badf0-b4d3-44fe-aca3-300b969ede4f service=registry version=v2.7.1
INFO[0000] listening on [::]:5000                        go.version=go1.11.2 instance.id=871badf0-b4d3-44fe-aca3-300b969ede4f service=registry version=v2.7.1
INFO[0060] PurgeUploads starting: olderThan=2019-11-18 08:16:34.579628009 +0000 UTC m=-604739.979538633, actuallyDelete=true 
INFO[0060] Purge uploads finished.  Num deleted=0, num errors=1 
INFO[0060] Starting upload purge in 24h0m0s              go.version=go1.11.2 instance.id=871badf0-b4d3-44fe-aca3-300b969ede4f service=registry version=v2.7.1
+1
jianzhangbjz on Nov 25, 2019

ubuntu Edit configuration file /etc/systemd/system/multi-user.target.wants/docker.service add ExecStart=/usr/************* --insecure-registry yourip:5000

+1
Forsk on Sep 26, 2018

Also you can install haproxy and add into config:

frontend http
        bind *:80
        redirect scheme https if !{ ssl_fc }

frontend https
        bind *:443 ssl crt {{{ your certificate  }}}
        acl host_docker hdr(host) -i docker.domain.com
        reqadd X-Forwarded-Port:\ 443
        reqadd X-Forwarded-Proto:\ https
        reqadd X-Forwarded-Scheme:\ https
        use_backend docker if host_docker

backend docker
        reqadd X-Forwarded-Host:\ docker.domain.com
        server docker 127.0.0.1:5000

then you don’t need --insecure-registry flag…

+1
mjablecnik on Aug 17, 2017

Please follow these instructions to help us diagnose your issue

  1. create a new issue, with a succinct title that describes your issue:
    • bad title: “It doesn’t work with my docker”
    • good title: “Private registry push fail: 400 error with E_INVALID_DIGEST”
  2. copy the output of:
    • docker version
    • docker info
    • docker exec <registry-container> registry -version
  3. copy the command line you used to launch your Registry
  4. restart your docker daemon in debug mode (add -D to the daemon launch arguments)
  5. reproduce your problem and get your docker daemon logs showing the error
  6. if relevant, copy your registry logs that show the error
  7. provide any relevant detail about your specific Registry configuration (e.g., storage backend used)
  8. indicate if you are using an enterprise proxy, Nginx, or anything else between you and your Registry
+1
RichardScothern on Aug 1, 2016
Read more comments on GitHub
← distribution: Private Registry "invalid authorization credential" appears, but everything works fine.
distribution: Private registry push fails (S3): Error with Blob unknown to registry →