We have a private docker registry at work (based on portus, but whatever) and I try to push an image to this registry but it doesn't work. It fails with the following error message:
$ sudo docker login archive.docker-registry.mycompany.com
Username: mylogin
Password:
Error response from daemon: Get https://archive.docker-registry.mycompany.com/v1/users/:
net/http: TLS handshake timeout
$
I already configured the proxy in /etc/systemd/system/docker.service.d/http-proxy.conf (my docker is on centos 7):
[Service]
Environment="HTTP_PROXY=http://proxy.mycompany.com:8000/" "NO_PROXY=localhost,127.0.0.1,archive.docker-registry.mycompany.com"
but it still fails.
I tried to use HTTPS_PROXY instead of HTTP_PROXY using either http or https in url, I tried to download certificate manually and configure them in system (update-ca-certs) but it keeps failing.
When I changed this configuration file, as root, I executed:
# systemctl daemon-reload
# systemctl restart docker
How do I fix the TLS handshake error? The quickest solution to resolve this SSL/TLS handshake error is to restore your browser's original settings and disable all plugins. From there, you can customize the browser as needed, checking your connection with the website in question as you go.
A caching proxy for Docker; allows centralised management of (multiple) registries and their authentication; caches images from any registry. Caches the potentially huge blob/layer requests (for bandwidth/time savings), and optionally caches manifest requests ("pulls") to avoid rate-limiting.
A private Docker registry allows you to share your custom base images within your organization, keeping a consistent, private, and centralized source of truth for the building blocks of your architecture.
actually, I found that if I comment out the full Environment line it works for the private registry but not for docker hub anymore (of course, no more proxy). And here is the final solution that works for both private registry and docker hub public registry:
In the NO_PROXY environment variable, only the domain name should be used, not the FQDN (including "archive." hostname prefix):
Here is my config file now:
[Service]
Environment="HTTP_PROXY=http://proxy.mycompany.com:8000/" "NO_PROXY=localhost,127.0.0.1,docker-registry.mycompany.com"
Note that there is no more "archive." nor "portus." prefix in NO_PROXY anymore, just the domain name starting from "docker-registry".
As I saw the docker login command line including "archive." prefix, it was misleading and I thought it had to be in the NO_PROXY environment variable... but no, it should not.
Hope it helps someone. I wish I found the answer on google before, but I didn't so I'm just posting it here, it might help someone.
If you are using a private registry, you need to place the certificate for that under /etc/docker/certs.d/registryname/ca.crt
registryname will change accordingly
Also, please change your MTU size to 1300, this was also one thing I did to resolve the error. Registry one I believe you might have already done. Command for MTU change
ip link set dev eth0 mtu 1300
MTU size is important to check
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With