Hi,
I cannot login to a local registry with tls+htpasswd authentication.
I presume that the process is to do a docker login to the registry, then docker pull/push.
a) login without TLS (this probably should not work anyway, once TLS is enabled?)
docker login -p=testuser -u=testpassword -e=root@example.ch 127.0.0.1:5000
Error response from daemon: no successful auth challenge for https://127.0.0.1:5000/v2/ - errors: [basic auth attempt to https://127.0.0.1:5000/v2/ realm “MyDomain” failed with status: 401 Unauthorized]
b) login with TLS
docker login -p=testuser -u=testpassword -e=root@example.ch registry.myfqdn.net:5000
Error response from daemon: invalid registry endpoint https://registry.myfqdn.net:5000/v0/: unable to ping registry endpoint https://registry.myfqdn.net:5000/v0/
v2 ping attempt failed with error: Get https://registry.myfqdn.net:5000/v2/: Forbidden
v1 ping attempt failed with error: Get https://registry.myfqdn.net:5000/v1/_ping: Forbidden. If this private registry supports only HTTP or HTTPS with an unknown CA certificate,
=== Analysis/Debugging…
The registry container indicates that httpasswd and TLS are configured on startup:
time=“2015-09-28T05:49:54.395121562Z” level=debug msg=“configured “htpasswd” access controller” instance.id=d7ec8772-0484-4e1c-b1ac-1c826bb63a5a service=registry version=v2.1.1
…
time=“2015-09-28T05:49:54.642314471Z” level=info msg=“listening on [::]:5000, tls” instance.id=d7ec8772-0484-4e1c-b1ac-1c826bb63a5a service=registry version=v2.1.1
Testing with curl if the SSL handshaking/cert validation work fine:
curl -vvv https://registry.myfqdn.net:5000
.....
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=CH; .........
* start date: 2014-12-18 15:20:28 GMT
* expire date: 2017-12-17 15:20:28 GMT
* common name: *.myfqdn.net (matched)
* issuer: C=ch; ........
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: registry.myfqdn.net:5000
> Accept: */*
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< Date: Mon, 28 Sep 2015 05:58:49 GMT
< Content-Length: 19
404 page not found
* Connection #0 to host registry.myfqdn.net left intact
(Note: the intermediate CA is also bundled with in domain.crt as per docs)
– httpasswd creation–
docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd
– docker compose is used to create the registry:
registry:
container_name: registry
image: registry:2
ports:
- 5000:5000
volumes:
- ./registry-config.yml:/etc/docker/registry/config.yml
- ./data:/var/lib/registry
- ./certs:/certs
- ./auth:/auth
— registry config –
version: 0.1
log:
level: debug
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
auth:
htpasswd:
realm: MyDomain
path: /auth/htpasswd
http:
addr: :5000
secret: FooBar
tls:
certificate: /certs/domain.crt
key: /certs/domain.key
headers:
X-Content-Type-Options: [nosniff]
During the login process, “docker logs -f registry” does not show anything, indicating that is the docker client that is breaking off?
Next I tried docker-in-docker to see if it could help debug. There are no TLS errors, but a "no successful auth challenge"
docker run --privileged --name some-docker -d docker:1.8-dind -D
docker run -it --rm --link some-docker:docker docker:1.8 sh
docker login -p=testuser -u=testpassword -e=root@example.ch registry.myfqdn.net:5000
Error response from daemon: no successful auth challenge for https://registry.myfqdn.net:5000/v2/ - errors: [basic auth attempt to https://registry.myfqdn.net:5000/v2/ realm “MyDomain” failed with status: 401 Unauthorized]
Reference documentation used:https://github.com/docker/distribution/blob/master/docs/deploying.md
Sorry for the long post, but the idea was to include as much detail as possible…
Questions
What is the function of the “email” parameter in docker-login?
Any tips on what has been missed above?
How can I debug this in more detail?
Thanks in advance