CODEWITHSUNDEEP
dockerauthenticationgitlabdocker-registry
user3142695
user3142695

Reputation: 17322

Docker/GitLab authentication for docker registry returns 401 error

I'm trying to configure my docker registry using auth of gitlab (docker).

Doing docker login registry.website.com gives me a 401 Unauthorized error:

Error response from daemon: login attempt to https://registry.website.com/v2/ failed with status: 401 Unauthorized

In the docker logs I find

{ "level":"info","msg":"token signed by untrusted key with ID: \"IWNY:KT2H:YUN5:STQP:22LM:YNIU:RT4T:AZO7:TBVL:ZQ3I:Z4JZ:LA3T\"","time":"2018-12-17T23:36:03.538232467Z" }
{ [...] "level":"warning","msg":"error authorizing context: invalid token","service":"registry","source":"registry","time":"2018-12-17T23:36:03.53860308Z","version":"v2.6.2" }

My keys are generated by doing

$ sudo openssl req -new -newkey rsa:4096 -subj "/CN=gitlab-issuer" -nodes -x509 -keyout registry-auth.key -out registry-auth.crt
$ sudo chmod 400 registry-auth.key

In my debugging attempt I do get different sha256 digest:

459b854f47c51bd94e0fd696cc35148cf93065df986abcc368cf13958373d298
459b854f47c51bd94e0fd696cc35148cf93065df986abcc368cf13958373

As @VDR has shown this is ok, as the first 30 characters are used. So with that there should not be a problem with the keys. But why do I get the 401 error?

This is how I configured gitlab and the registry:

The configuration of docker gitlab (gitlab.rb) uses the key by

gitlab_rails['registry_key_path'] = "/certs/registry-auth.key"

Config of registry has

auth.token.rootcertbundle: /root/certs/registry-auth.crt

nginx-proxy/vhost.d/docker-registry.conf

proxy_pass                          http://registry.website.com;
proxy_set_header  Host              $http_host;   # required for docker client's sake
proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto $scheme;
proxy_read_timeout                  900;

I don't see what I'm missing here...

Upvotes: 19

Views: 2168

Answers (1)

grizzthedj
grizzthedj

Reputation: 7505

If your Gitlab is behind a proxy, you will need to configure the proxy in docker.

To configure docker to use the proxy, put the following in your ~/.docker/config.json file where your docker is running.

{
  "auths" : {

  },
  "proxies":
  {
    "default":
    {
      "httpProxy": "http://myproxy/",
      "httpsProxy": "http://myproxy/"
    }
  }
}

If there is anything already in the "auths": {} section, you should leave it as is.

Save this file then restart your docker daemon. Once docker is back up, you should be able to run docker login ... without issues.

Upvotes: 1

Related Questions