Registry 2 + tls+htpasswd


I cannot login to a local registry with tls+htpasswd authentication.

I presume that the process is to do a docker login to the registry, then docker pull/push.

a) login without TLS (this probably should not work anyway, once TLS is enabled?)
docker login -p=testuser -u=testpassword

Error response from daemon: no successful auth challenge for - errors: [basic auth attempt to realm “MyDomain” failed with status: 401 Unauthorized]

b) login with TLS
docker login -p=testuser -u=testpassword

Error response from daemon: invalid registry endpoint unable to ping registry endpoint
v2 ping attempt failed with error: Get Forbidden
v1 ping attempt failed with error: Get Forbidden. If this private registry supports only HTTP or HTTPS with an unknown CA certificate,

=== Analysis/Debugging…

The registry container indicates that httpasswd and TLS are configured on startup:
time=“2015-09-28T05:49:54.395121562Z” level=debug msg=“configured “htpasswd” access controller” service=registry version=v2.1.1

time=“2015-09-28T05:49:54.642314471Z” level=info msg=“listening on [::]:5000, tls” service=registry version=v2.1.1

Testing with curl if the SSL handshaking/cert validation work fine:
curl -vvv

* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* 	 subject: C=CH; .........
* 	 start date: 2014-12-18 15:20:28 GMT
* 	 expire date: 2017-12-17 15:20:28 GMT
* 	 common name: * (matched)
* 	 issuer: C=ch; ........
* 	 SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host:
> Accept: */*
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< Date: Mon, 28 Sep 2015 05:58:49 GMT
< Content-Length: 19
404 page not found
* Connection #0 to host left intact

(Note: the intermediate CA is also bundled with in domain.crt as per docs)

– httpasswd creation–
docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd

– docker compose is used to create the registry:

  container_name: registry
  image: registry:2
    - 5000:5000
    - ./registry-config.yml:/etc/docker/registry/config.yml
    - ./data:/var/lib/registry
    - ./certs:/certs
    - ./auth:/auth

— registry config –

version: 0.1
  level: debug
    service: registry
    blobdescriptor: inmemory
    rootdirectory: /var/lib/registry
    realm: MyDomain
    path: /auth/htpasswd
  addr: :5000
  secret: FooBar
    certificate: /certs/domain.crt
    key: /certs/domain.key
    X-Content-Type-Options: [nosniff]

During the login process, “docker logs -f registry” does not show anything, indicating that is the docker client that is breaking off?

Next I tried docker-in-docker to see if it could help debug. There are no TLS errors, but a "no successful auth challenge"
docker run --privileged --name some-docker -d docker:1.8-dind -D
docker run -it --rm --link some-docker:docker docker:1.8 sh
docker login -p=testuser -u=testpassword

Error response from daemon: no successful auth challenge for - errors: [basic auth attempt to realm “MyDomain” failed with status: 401 Unauthorized]

Reference documentation used:

Sorry for the long post, but the idea was to include as much detail as possible…


What is the function of the “email” parameter in docker-login?
Any tips on what has been missed above?
How can I debug this in more detail?

Thanks in advance