Issues Pulling Images from Docker Hub Behind Proxy with SSL Interception on RHEL 7.9

sabsbecool · June 7, 2024, 8:10am

Hello Docker Community,

I’m encountering an issue when trying to pull images from Docker Hub while behind a proxy with SSL interception in our on-premises data center. Interestingly, pulling images from quay.io works without any issues, but Docker Hub connections break and throw authentication and timeout errors. Here are the details of my setup and the troubleshooting steps I’ve taken so far:

Setup Details:

Environment: On-premises data center
Proxy: Enabled with SSL interception
Docker Version: 20.10.12
OS: [Your operating system]: RHEL 7.9

Proxy Configuration:

I’ve configured the proxy settings in both the Docker daemon and as environment variables:

export HTTP_PROXY=http://your.proxy.server:port
export HTTPS_PROXY=https://your.proxy.server:port
export NO_PROXY=localhost,127.0.0.1,your.registry.server

I’ve also added the proxy settings in /etc/systemd/system/docker.service.d/http-proxy.conf and /etc/docker/daemon.json:

[Service]
Environment="HTTP_PROXY=http://your.proxy.server:port"
Environment="HTTPS_PROXY=https://your.proxy.server:port"
Environment="NO_PROXY=localhost,127.0.0.1,your.registry.server"

{
    "proxies": {
        "default": {
            "httpProxy": "http://your.proxy.server:port",
            "httpsProxy": "https://your.proxy.server:port",
            "noProxy": "localhost,127.0.0.1,your.registry.server"
        }
    }
}

SSL Certificate:

I’ve added the proxy’s SSL certificate to Docker’s trusted certificates:

sudo mkdir -p /etc/docker/certs.d/docker.io
sudo cp your-proxy-cert.crt /etc/docker/certs.d/docker.io/
sudo update-ca-certificates
sudo systemctl restart docker

Observations and Issues:

Pulling images from quay.io works perfectly fine.
Pulling images from Docker Hub results in connection breaks with authentication and timeout errors.

Request for Help:

I’m looking for suggestions or insights from the community to resolve this issue

terpz · June 7, 2024, 8:24am

the /etc/docker/certs.d/ is intended for custom/private repos.
Im not sure its posible to manipulate with the docker.io ones.

A solution could be to add it as a insecure repo:

"insecure-registries": ["docker.io"]

rimelek · June 7, 2024, 7:42pm

You ran update-ca-certificates but that has nothing to do with Docker. If you want the whole system to trust your cert, you have to add the cert to trusted certs of the OS. That should be somewhere under /etc/pki. I’m not a RHEL user so I just searched for this:

Is update-ca-certificates available on RHEL? I saw update-ca-trust in post above. Maybe it is available in newer versions.

I would not add the docker.io to the insecure registries. because that would mean no certificate validation, so even if you are not communicating with Docker Hub, it could work and you wouldn’t notice. Or it wouldn’t work, but by that time you already tried to log in and shared your credentials. Maybe it can’t happen with SSL interception. but I wouldn’t sleep well knowing I simply ignore certificates.

Topic		Replies	Views
Pulling images from Docker Hub using a proxy that supports TLS 1 only Docker Hub dockerhub	2	2327	February 20, 2019
Docker on Windows behind a proxy with authentication. Not able to pull images Docker Hub	5	19702	July 28, 2022
Docker on RHEL 7 in AWS can't pull images General	1	1820	July 2, 2016
Unable to pull from dockerhub - Need host/port map required for proxy Docker Hub	1	2591	October 29, 2015
Docker behind the corporate proxy - proxyconnect server misbehavng Docker Hub	0	1931	October 4, 2019