I am using docker version 18.09.0, build 4d60db4 in a Windows machine and I am trying to login to Artifactory using the following command,
docker login docker-registery.company.net
It prompts for username and password and I am providing them, however I am not able to login. It gives me the following error:
Error response from daemon: Get https://docker-registery.company.net/v2/: tls: server selected unsupported protocol version 301
Note: I am able to login to the Artifactory Repo Browser through my web browser by using the same username and password.
What is causing this issue when I try to login from the command-line? Is it some kind of proxy or certificate issue?
protocol version 301 = TLS 1.0 - that is insecure TLS version, which has been selected by the server (in theory by Artifactory, but there can be reverse proxy, Tomcat, etc. where TLS can be configured as well).
Configure properly TLS on the server side (enable support for TLS 1.1+) and your docker client will be able to establish a secure TLS connection. "insecure registry" is just insecure workaround.
We have the same issue after some of Windows update
You can manually change the default TLS version in windows by editing register
Change needed values in regedit.exe or store this code as .reg file and execute it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
Hope, it will solve your problem
Try this,
docker login --username=yourUserName --email=abc#company.net dockerregistry.company.net:5000
Obviously, if you are using a port other than 5000 specify it after the colon.
Once you log in, you can do something like
docker push dockerregistry.company.net:5000/ubuntu
or
docker pull dockerregistry.company.net:5000/ubuntu
None of the above answers actually worked for me.
However, I manged to find a fix for it. Keep in mind that, this is not a perfect solution but a work around.
Here it goes...
I added my Artifactory registry as an insecure registry. Here's how to do it: https://docs.docker.com/registry/insecure/
Therefore, by passing the TLS handshake.
Related
I spent the whole day trying to pull an image on my MacBook through a corporate HTTP proxy, with no luck.
It is an authenticated proxy, of the form: http://username:password-with-special-characters#proxy.domain:8080
The http_proxy and https_proxy variables are set in my .zshrc.
The proxy details are set in the system's preferences.
When I try to docker pull hello-world without altering proxy settings in the Docker for Mac UI, I got:
Error response from daemon: Get https://registry-1.docker.io/v2/: Service Unavailable
When I also set the proxy through the Docker for Mac UI I got:
Error response from daemon: Get https://registry-1.docker.io/v2/: Proxy Authentication Required
I can curl https://registry-1.docker.io/v2/ directly on the terminal, and get back a 200.
I tried with and without URI encoding the special characters in my password, doesn't change a thing.
I used to have some issues with the same proxy on a Linux machine, but got it to work by messing with systemd. On macOs, I don't know if I can do something similar.
Help would be very much appreciated.
Thanks in advance !
For those who had this error, it was because of a bug between Cisco AnyConnect and Docker. This bug has been fixed with Docker for Mac 3.4.0.
I am using windows 10 Enterprise Version 1607,
We use a Proxy Auto Config (PAC) script for Proxy config.
The problem is docker connectivity. I have Docker 17.12.0-ce (stable release) is installed. I'm not able to configure Docker to use PAC to pull docker registry images.
Kindly help! I've gone through the official documentation several times, but nothing helpful. I'm not sure if I'm missing something.
.pac configuration file is actually returning a proxy server address based on which url you are visiting.
So you can skip using .pac and set your HTTP PROXY directly to docker.
If you want to know what is your proxy server address, visit the .pac from your browser, read it and you will find the proxy server address in clear text there.
From the documentation found here: https://books.sonatype.com/nexus-book/3.0/reference/docker.html
I can conclude that I cannot create a private docker registry unless I expose it through https.
Docker relies on secure connections using SSL to connect to the repositories. You are therefore required to expose the repository manager to your client tools via HTTPS. This can be configured via an external proxy server or directly with the repository manager. Further details can be found in Section 5.9.4, “Inbound SSL - Configuring to Serve Content via HTTPS”.
I have done all these steps (using reverse-proxy on https://localhost:5001 forwarding to nexus proxy registry with http connector). However now that I want to start pulling from my local registry, I cannot find a way to access it through https.
The following command which is describe here: https://docs.docker.com/engine/reference/commandline/pull/#pull-from-a-different-registry
docker pull localhost:5001/hello-world
returns:
Error response from daemon: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "\n\n400 Bad Request\n\nBad Request\nYour browser sent a request that this server could not understand.\nReason: You're speaking plain HTTP to an SSL-enabled server port.\n Instead use the HTTPS scheme to access this URL, please.\n\n\n"
and when I try this:
docker pull https://localhost:5001/hello-world
I get:
invalid reference format
The solution to this is:
either having a valid SSL certificate for the proxy you re accessing the repository through
or
creating a self-signed certificate and manually inserting it in the Windows Trusted root authorities certificates
of the computer you want to access the registry from.
This should resolve any issues and relevant messages. Try accessing https://proxyUrl:5000/v2 and you should now be getting a different message than before as well as be able to pull and push to the registry.
Here is my whole scenario.
I have a RHEL 7.1 vmware image, with the corporate proxy properly configured, accessing stuff over http or https works properly.
Installed docker-engine, and added the HTTP_PROXY setting to /etc/systemd/system/docker.service.d/http-proxy.conf. I can verify the proxy setting is picked up by executing:
sudo systemctl show docker --property Environment
which will print:
Environment=HTTP_PROXY=http://proxy.mycompany.com:myport/ with real values of course.
Pulling and running docker images works correctly this way.
The goal is to work with the binary distribution of openshift-origin. I downloaded the binaries, and started setting up things as per the walkthrough page on github:
https://github.com/openshift/origin/blob/master/examples/sample-app/README.md
Starting openshift seems to work as I can:
* login via the openshift cli
* create a new project
* even access the web console
But when I try to create an app in the project (also via the cli):
oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-hello-world.git
It fails:
error: can't look up Docker image "centos/ruby-22-centos7": Internal error occurred: Get https://registry-1.docker.io/v2/: dial tcp 52.71.246.213:443: connection refused
I can access (without authentication though) this endpoint via the browser on the VM or via WGET.
Hence I believe DOCKER fails to pick up the proxy settings. After some searching I also fear if there are IPTABLES settings missing. Referring to:
https://docs.docker.com/v1.7/articles/networking/
But I don't know if I should fiddle with the IPTABLES settings, should not Docker figure that out itself?
Check your HTTPS_PROXY environment property.
When upgrading to docker 1.3 the docker client produced the following error:
...
If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry <my registry>` to the daemon's arguments.
...
This registry is behind our company's firewall, so I do not wish to add any security. Is there a way to remove this error at the registry server? What is the simplest way to do this? Is it enabling https or is there a simpler trick?
I do not want to update the config for all the registry clients
You have to use https if you want to to avoid this warning. Also you need a certificate signed by a known CA. Docker is trying to force security by this.
The other possibility is to use --insecure-registry when using the client.