Docker/GitLab authentication for docker registry returns 401 error

Question

I'm trying to configure my docker registry using auth of gitlab (docker).

Doing docker login registry.website.com gives me a 401 Unauthorized error:

Error response from daemon: login attempt to https://registry.website.com/v2/ failed with status: 401 Unauthorized

In the docker logs I find

{ "level":"info","msg":"token signed by untrusted key with ID: \"IWNY:KT2H:YUN5:STQP:22LM:YNIU:RT4T:AZO7:TBVL:ZQ3I:Z4JZ:LA3T\"","time":"2018-12-17T23:36:03.538232467Z" }
{ [...] "level":"warning","msg":"error authorizing context: invalid token","service":"registry","source":"registry","time":"2018-12-17T23:36:03.53860308Z","version":"v2.6.2" }

My keys are generated by doing

$ sudo openssl req -new -newkey rsa:4096 -subj "/CN=gitlab-issuer" -nodes -x509 -keyout registry-auth.key -out registry-auth.crt
$ sudo chmod 400 registry-auth.key

In my debugging attempt I do get different sha256 digest:

459b854f47c51bd94e0fd696cc35148cf93065df986abcc368cf13958373d298
459b854f47c51bd94e0fd696cc35148cf93065df986abcc368cf13958373

As @VDR has shown this is ok, as the first 30 characters are used. So with that there should not be a problem with the keys. But why do I get the 401 error?

This is how I configured gitlab and the registry:

The configuration of docker gitlab (gitlab.rb) uses the key by

gitlab_rails['registry_key_path'] = "/certs/registry-auth.key"

Config of registry has

auth.token.rootcertbundle: /root/certs/registry-auth.crt

nginx-proxy/vhost.d/docker-registry.conf

proxy_pass                          http://registry.website.com;
proxy_set_header  Host              $http_host;   # required for docker client's sake
proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto $scheme;
proxy_read_timeout                  900;

I don't see what I'm missing here...

Answer 1

If your Gitlab is behind a proxy, you will need to configure the proxy in docker.

To configure docker to use the proxy, put the following in your ~/.docker/config.json file where your docker is running.

{
  "auths" : {

  },
  "proxies":
  {
    "default":
    {
      "httpProxy": "http://myproxy/",
      "httpsProxy": "http://myproxy/"
    }
  }
}

If there is anything already in the "auths": {} section, you should leave it as is.

Save this file then restart your docker daemon. Once docker is back up, you should be able to run docker login ... without issues.