Docker/GitLab authentication for docker registry returns 401 error

Question

I'm trying to configure my docker registry using auth of gitlab (docker).

Doing docker login registry.website.com gives me a 401 Unauthorized error:

Error response from daemon: login attempt to https://registry.website.com/v2/ failed with status: 401 Unauthorized

In the docker logs I find

{ "level":"info","msg":"token signed by untrusted key with ID: \"IWNY:KT2H:YUN5:STQP:22LM:YNIU:RT4T:AZO7:TBVL:ZQ3I:Z4JZ:LA3T\"","time":"2018-12-17T23:36:03.538232467Z" }
{ [...] "level":"warning","msg":"error authorizing context: invalid token","service":"registry","source":"registry","time":"2018-12-17T23:36:03.53860308Z","version":"v2.6.2" }

My keys are generated by doing

$ sudo openssl req -new -newkey rsa:4096 -subj "/CN=gitlab-issuer" -nodes -x509 -keyout registry-auth.key -out registry-auth.crt
$ sudo chmod 400 registry-auth.key

In my debugging attempt I do get different sha256 digest:

459b854f47c51bd94e0fd696cc35148cf93065df986abcc368cf13958373d298
459b854f47c51bd94e0fd696cc35148cf93065df986abcc368cf13958373

As @VDR has shown this is ok, as the first 30 characters are used. So with that there should not be a problem with the keys. But why do I get the 401 error?

This is how I configured gitlab and the registry:

The configuration of docker gitlab (gitlab.rb) uses the key by

gitlab_rails['registry_key_path'] = "/certs/registry-auth.key"

Config of registry has

auth.token.rootcertbundle: /root/certs/registry-auth.crt

nginx-proxy/vhost.d/docker-registry.conf

proxy_pass                          http://registry.website.com;
proxy_set_header  Host              $http_host;   # required for docker client's sake
proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto $scheme;
proxy_read_timeout                  900;

I don't see what I'm missing here...

Based on this link: https://gitlab.com/gitlab-org/gitlab-ce/blob/8-15-stable/lib/json_web_token/rsa_token.rb#L35 This hash is supposed to be the most part of the sha256 hex digest of the public key in DER format(registry-auth.pub.der). — VDR, Dec 23 '18 at 19:23
@VDR You are right. This would prove that the key which I'm using are correct, but why do I get the 401 error? — user3142695, Dec 24 '18 at 14:45
Did you find something about it @user3142695 ? I have the exact same problem and have no idea what's going on :'( — EricD, Jan 20 '19 at 23:13
@EricD Unfortunately I'm still facing this issue. Maybe you want to start a bounty on this? — user3142695, Jan 21 '19 at 06:22
check you clock in your machines, that same in registry and request — Soleil, Mar 28 '19 at 17:01

grizzthedj · Answer 1 · 2019-01-26T15:47:32.563

1

If your Gitlab is behind a proxy, you will need to configure the proxy in docker.

To configure docker to use the proxy, put the following in your ~/.docker/config.json file where your docker is running.

{
  "auths" : {

  },
  "proxies":
  {
    "default":
    {
      "httpProxy": "http://myproxy/",
      "httpsProxy": "http://myproxy/"
    }
  }
}

If there is anything already in the "auths": {} section, you should leave it as is.

Save this file then restart your docker daemon. Once docker is back up, you should be able to run docker login ... without issues.

edited Jan 26 '19 at 15:47

answered Jan 22 '19 at 19:19

grizzthedj

7,131
16
42
62

I do not understand what I have to use for `myproxy`. I'm user the reverse proxy builder/nginx-proxy – user3142695 Jan 22 '19 at 20:03
`myproxy` would be the domain of the proxy that your Gitlab is sitting behind. – grizzthedj Jan 22 '19 at 20:46

Docker/GitLab authentication for docker registry returns 401 error

1 Answers1