Docker Community Forums

Share and learn in the Docker community.

Registry 2 + tls+htpasswd


(Sean Boran) #1

Hi,

I cannot login to a local registry with tls+htpasswd authentication.

I presume that the process is to do a docker login to the registry, then docker pull/push.

a) login without TLS (this probably should not work anyway, once TLS is enabled?)
docker login -p=testuser -u=testpassword -e=root@example.ch 127.0.0.1:5000

Error response from daemon: no successful auth challenge for https://127.0.0.1:5000/v2/ - errors: [basic auth attempt to https://127.0.0.1:5000/v2/ realm “MyDomain” failed with status: 401 Unauthorized]

b) login with TLS
docker login -p=testuser -u=testpassword -e=root@example.ch registry.myfqdn.net:5000

Error response from daemon: invalid registry endpoint https://registry.myfqdn.net:5000/v0/: unable to ping registry endpoint https://registry.myfqdn.net:5000/v0/
v2 ping attempt failed with error: Get https://registry.myfqdn.net:5000/v2/: Forbidden
v1 ping attempt failed with error: Get https://registry.myfqdn.net:5000/v1/_ping: Forbidden. If this private registry supports only HTTP or HTTPS with an unknown CA certificate,

=== Analysis/Debugging…

The registry container indicates that httpasswd and TLS are configured on startup:
time=“2015-09-28T05:49:54.395121562Z” level=debug msg=“configured “htpasswd” access controller” instance.id=d7ec8772-0484-4e1c-b1ac-1c826bb63a5a service=registry version=v2.1.1

time=“2015-09-28T05:49:54.642314471Z” level=info msg=“listening on [::]:5000, tls” instance.id=d7ec8772-0484-4e1c-b1ac-1c826bb63a5a service=registry version=v2.1.1

Testing with curl if the SSL handshaking/cert validation work fine:
curl -vvv https://registry.myfqdn.net:5000

.....
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* 	 subject: C=CH; .........
* 	 start date: 2014-12-18 15:20:28 GMT
* 	 expire date: 2017-12-17 15:20:28 GMT
* 	 common name: *.myfqdn.net (matched)
* 	 issuer: C=ch; ........
* 	 SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: registry.myfqdn.net:5000
> Accept: */*
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< Date: Mon, 28 Sep 2015 05:58:49 GMT
< Content-Length: 19
404 page not found
* Connection #0 to host registry.myfqdn.net left intact

(Note: the intermediate CA is also bundled with in domain.crt as per docs)

– httpasswd creation–
docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd

– docker compose is used to create the registry:

registry:
  container_name: registry
  image: registry:2
  ports:
    - 5000:5000
  volumes:
    - ./registry-config.yml:/etc/docker/registry/config.yml
    - ./data:/var/lib/registry
    - ./certs:/certs
    - ./auth:/auth

— registry config –

version: 0.1
log:
  level: debug
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
auth:
  htpasswd:
    realm: MyDomain
    path: /auth/htpasswd
http:
  addr: :5000
  secret: FooBar
  tls:
    certificate: /certs/domain.crt
    key: /certs/domain.key
  headers:
    X-Content-Type-Options: [nosniff]

During the login process, “docker logs -f registry” does not show anything, indicating that is the docker client that is breaking off?

Next I tried docker-in-docker to see if it could help debug. There are no TLS errors, but a "no successful auth challenge"
docker run --privileged --name some-docker -d docker:1.8-dind -D
docker run -it --rm --link some-docker:docker docker:1.8 sh
docker login -p=testuser -u=testpassword -e=root@example.ch registry.myfqdn.net:5000

Error response from daemon: no successful auth challenge for https://registry.myfqdn.net:5000/v2/ - errors: [basic auth attempt to https://registry.myfqdn.net:5000/v2/ realm “MyDomain” failed with status: 401 Unauthorized]

Reference documentation used:https://github.com/docker/distribution/blob/master/docs/deploying.md

Sorry for the long post, but the idea was to include as much detail as possible…

Questions

What is the function of the “email” parameter in docker-login?
Any tips on what has been missed above?
How can I debug this in more detail?

Thanks in advance