I have pulled the registry:2.2 and launching it this way:

docker run -d -p 5000:5000 --restart=always --name registry_private \ -v /var/lib/docker/data:/var/lib/registry \ -vpwd/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ registry:2.2
I’ve only added this to the registry/config.yml file:
proxy: remoteurl: https://registry-1.docker.io
I have an alias in /etc/hosts for registry.internal and the user is working with curl or docker (1.9.1) login…
I’ve added these arguments to the docker daemon :
--insecure-registry registry.internal:5000 \ --registry-mirror=https://registry.internal:5000

And I can push my own images and then pull them from it, but I can’t seem to pull images from the docker hub.
If I try to, say, pull elasticsearch from the local registry for it to fetch and cache it from the main one, it gives me this in the logs:

time="2015-11-26T22:41:44Z" level=warning msg="error authorizing context: basic authentication challenge: htpasswd.challenge{realm:\"Registry Realm\", err:(*errors.errorString)(0xc2080f94c0)}" go.version=go1.4.3 http.request.host="registry.internal:5000" http.request.id=bf6acc88-edf8-43e2-80ee-ccbd9aa494ef http.request.method=GET http.request.remoteaddr="192.168.10.10:58090" http.request.uri="/v2/" http.request.useragent="docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.3.0-custom os/linux arch/amd64" instance.id=3d8bf58b-9524-4b0c-982d-5ac62c45d905 version=v2.2.0 192.168.10.10 - - [26/Nov/2015:22:41:44 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.3.0-custom os/linux arch/amd64" time="2015-11-26T22:41:44Z" level=error msg="response completed with error" auth.user.name=internal err.code="MANIFEST_UNKNOWN" err.detail="unauthorized: access to the requested resource is not authorized" err.message="manifest unknown" go.version=go1.4.3 http.request.host="registry.internal:5000" http.request.id=5f9d01b8-35bd-4f20-accd-550818928754 http.request.method=GET http.request.remoteaddr="192.168.10.10:58092" http.request.uri="/v2/elasticsearch/manifests/latest" http.request.useragent="docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.3.0-custom os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=354.587935ms http.response.status=404 http.response.written=251 instance.id=3d8bf58b-9524-4b0c-982d-5ac62c45d905 vars.name=elasticsearch vars.reference=latest version=v2.2.0 192.168.10.10 - - [26/Nov/2015:22:41:44 +0000] "GET /v2/elasticsearch/manifests/latest HTTP/1.1" 404 251 "" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.3.0-custom os/linux arch/amd64" 192.168.10.10 - - [26/Nov/2015:22:41:44 +0000] "GET /v1/repositories/elasticsearch/images HTTP/1.1" 404 19 "" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.3.0-custom os/linux arch/amd64"

I tried also tried with a self-signed certificate, installed on the daemon’s side, with the same results.
Has anyone succeeded in running a local caching mirror and what are the minimal configuration you used that worked?

Thanks!

Same problem with silly-realm, when trying to pull from registry.internal:5000/busybox :

level=warning msg="error authorizing context: silly authentication challenge: silly.challenge{realm:\"silly-realm\", service:\"silly-service\", scope:\"\"}"

Also, even a successful login with the htpasswd gets me this in the logs:
time="2015-11-27T15:13:27Z" level=warning msg="error authorizing context: basic authentication challenge: htpasswd.challenge{realm:\"Registry Realm\", err:(*errors.errorString)(0xc208103450)}" go.version=go1.4.3 http.request.host="registry.delve:5000" http.request.id=cef981bb-8ada-4935-94d3-230906494d79 http.request.method=GET http.request.remoteaddr="192.168.10.10:49280" http.request.uri="/v2/" http.request.useragent="docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.3.0-custom os/linux arch/amd64" instance.id=28530d0c-3f4a-4995-994d-6a0700b79eff version=v2.2.0