docker login behind proxy on private registry gives TLS handshake timeout
Solution 1
actually, I found that if I comment out the full Environment line it works for the private registry but not for docker hub anymore (of course, no more proxy). And here is the final solution that works for both private registry and docker hub public registry:
In the NO_PROXY environment variable, only the domain name should be used, not the FQDN (including "archive." hostname prefix):
Here is my config file now:
[Service]
Environment="HTTP_PROXY=http://proxy.mycompany.com:8000/" "NO_PROXY=localhost,127.0.0.1,docker-registry.mycompany.com"
Note that there is no more "archive." nor "portus." prefix in NO_PROXY anymore, just the domain name starting from "docker-registry".
As I saw the docker login command line including "archive." prefix, it was misleading and I thought it had to be in the NO_PROXY environment variable... but no, it should not.
Hope it helps someone. I wish I found the answer on google before, but I didn't so I'm just posting it here, it might help someone.
Solution 2
If you are using a private registry, you need to place the certificate for that under /etc/docker/certs.d/registryname/ca.crt
registryname will change accordingly
Also, please change your MTU size to 1300, this was also one thing I did to resolve the error. Registry one I believe you might have already done. Command for MTU change
ip link set dev eth0 mtu 1300
MTU size is important to check
Solution 3
You can get the TLS handshake timeout error if your docker daemon proxy is not configured correctly.
# verify docker daemon proxy configuration
/etc/systemd/system/docker.service.d/proxy.conf
# flush changes
sudo systemctl daemon-reload
# restart docker service
sudo systemctl restart docker
For more details, see https://docs.docker.com/config/daemon/systemd/#httphttps-proxy
Solution 4
The latest stable version I installed (18.xx) had this issue and after downgrading to 17.12.0-ce, it works fine for me.
yohann.martineau
Updated on June 30, 2022Comments
-
yohann.martineau almost 2 years
We have a private docker registry at work (based on portus, but whatever) and I try to push an image to this registry but it doesn't work. It fails with the following error message:
$ sudo docker login archive.docker-registry.mycompany.com Username: mylogin Password: Error response from daemon: Get https://archive.docker-registry.mycompany.com/v1/users/: net/http: TLS handshake timeout $I already configured the proxy in /etc/systemd/system/docker.service.d/http-proxy.conf (my docker is on centos 7):
[Service] Environment="HTTP_PROXY=http://proxy.mycompany.com:8000/" "NO_PROXY=localhost,127.0.0.1,archive.docker-registry.mycompany.com"but it still fails.
I tried to use HTTPS_PROXY instead of HTTP_PROXY using either http or https in url, I tried to download certificate manually and configure them in system (update-ca-certs) but it keeps failing.
When I changed this configuration file, as root, I executed:
# systemctl daemon-reload # systemctl restart docker -
dtmland over 5 yearsThis may help someone: In my case I had both an HTTP_PROXY and HTTPS_PROXY defined, the TLS error went away after removing the HTTPS_PROXY entry and leaving the other as the sole entry (just as @yohaan.martineau has above) -
wisbucky over 4 yearsThat is a good tip, but not having the certificate would result in a
x509: certificate signed by unknown authorityerror, notTLS handshake timeout. -
mikita agrawal over 3 years@yohann - I was facing the same issue and was really struggling to get to the root cause and it seems the above is the solution. I updated my NO_PROXY variable with only the domain name and it worked perfectly. Thanks again :)
