New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can't reach index.docker.io #3203

Closed
wengmeiling opened this Issue Dec 13, 2013 · 89 comments

Comments

Projects
None yet
@wengmeiling

wengmeiling commented Dec 13, 2013

hi guys,
I'm trying to use docker in fedora19. I followed the steps introduced in http://docs.docker.io/en/latest/installation/fedora/. The docker version is docker-io-0.7.0-14.fc19.x86_64. But when i run the command "docker search ubuntu" , it reports the following error messages:

docker search ubuntu

2013/12/13 03:40:39 Error: Get https://index.docker.io/v1/search?q=ubuntu: lookup index.docker.io: no such host

when I run docker service in debug mode, the error is another one:

docker search ubuntu

2013/12/13 03:22:59 Error: Get https://index.docker.io/v1/search?q=ubuntu: x509: certificate signed by unknown authority

test the website with wget:

wget https://index.docker.io/v1/search?q=ubuntu

--2013-12-13 03:06:10-- https://index.docker.io/v1/search?q=ubuntu
Connecting to 128.5.64.30:3128... connected.
ERROR: cannot verify index.docker.io's certificate, issued by ?.O=HW Technologies Co., Ltd./OU=IT/L=HW Internal Network/C=CN/CN=HW Secure Internet Proxy CA?.
Unable to locally verify the issuer's authority.
To connect to index.docker.io insecurely, use `--no-check-certificate'.

according to the message, add `--no-check-certificate', run wget again:

wget https://index.docker.io/v1/search?q=ubuntu --no-check-certificate

--2013-12-13 03:06:27-- https://index.docker.io/v1/search?q=ubuntu
Connecting to 128.5.64.30:3128... connected.
WARNING: cannot verify index.docker.io's certificate, issued by ?.O=HW Technologies Co., Ltd./OU=IT/L=HW Internal Network/C=CN/CN=HW Secure Internet Proxy CA?.
Unable to locally verify the issuer's authority.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [application/json]
Saving to: ?.earch?q=ubuntu?

[ <=>                                                                                                                          ] 2,494       --.-K/s   in 0s      

2013-12-13 03:06:29 (42.7 MB/s) - ?.earch?q=ubuntu?.saved [2494]

While i run the command "docker run -i -t ubuntu /bin/bash", it has the same problem:

docker run -i -t ubuntu /bin/bash

Unable to find image 'ubuntu' (tag: latest) locally
Pulling repository ubuntu
2013/12/13 03:38:11 Get https://index.docker.io/v1/images/ubuntu/ancestry: lookup index.docker.io: no such host

but "wget https://index.docker.io/v1/images/ubuntu/ancestry" report the 404 error.
I know there must be something wrong with my network configure. But i try many
methods mentioned in other similar questions, but it doesn't work. Can you give me
some advices? If I can't reach index.docker.io host, how can I use a local image with docker? Thanks!

@wengmeiling

This comment has been minimized.

Show comment
Hide comment
@wengmeiling

wengmeiling Dec 13, 2013

sorry, I'am still not familiar with the use of the issue edit, the style maybe a little strange, but it doesn't affect reading.

wengmeiling commented Dec 13, 2013

sorry, I'am still not familiar with the use of the issue edit, the style maybe a little strange, but it doesn't affect reading.

@chenryn

This comment has been minimized.

Show comment
Hide comment
@chenryn

chenryn Dec 13, 2013

108.162.205.174 is blocked by GFW, using 108.162.206.174 by /etc/hosts.

chenryn commented Dec 13, 2013

108.162.205.174 is blocked by GFW, using 108.162.206.174 by /etc/hosts.

@wengmeiling

This comment has been minimized.

Show comment
Hide comment
@wengmeiling

wengmeiling Dec 17, 2013

Hi chenryn
Thanks for your answer.
Do you mean add a line "108.162.206.174 index.docker.io" in /etc/hosts?
I try this, but it report another error:
api.go:1034 Error: Get https://index.docker.io/v1/search?q=ubuntu: dial tcp 108.162.206.174:443: connection timed out
api.go:82 HTTP Error: statusCode=500 Get https://index.docker.io/v1/search?q=ubuntu: dial tcp 108.162.206.174:443: connection timed out

Do I misunderstand your meaning?

wengmeiling commented Dec 17, 2013

Hi chenryn
Thanks for your answer.
Do you mean add a line "108.162.206.174 index.docker.io" in /etc/hosts?
I try this, but it report another error:
api.go:1034 Error: Get https://index.docker.io/v1/search?q=ubuntu: dial tcp 108.162.206.174:443: connection timed out
api.go:82 HTTP Error: statusCode=500 Get https://index.docker.io/v1/search?q=ubuntu: dial tcp 108.162.206.174:443: connection timed out

Do I misunderstand your meaning?

@chenryn

This comment has been minimized.

Show comment
Hide comment
@chenryn

chenryn Dec 17, 2013

That is my meaning. But 108.162.206.174 is also blocked last sunday...
I think we may need a docker index mirror inside GFW

2013/12/17 wengmeiling notifications@github.com

Hi chenryn

Thanks for your answer.
Do you mean add a line "108.162.206.174 index.docker.io" in /etc/hosts?
I try this, but it report another error:
api.go:1034 Error: Get https://index.docker.io/v1/search?q=ubuntu: dial
tcp 108.162.206.174:443: connection timed out
api.go:82 HTTP Error: statusCode=500 Get
https://index.docker.io/v1/search?q=ubuntu: dial tcp 108.162.206.174:443:
connection timed out

Do I misunderstand your meaning?


Reply to this email directly or view it on GitHubhttps://github.com//issues/3203#issuecomment-30749376
.

chenryn commented Dec 17, 2013

That is my meaning. But 108.162.206.174 is also blocked last sunday...
I think we may need a docker index mirror inside GFW

2013/12/17 wengmeiling notifications@github.com

Hi chenryn

Thanks for your answer.
Do you mean add a line "108.162.206.174 index.docker.io" in /etc/hosts?
I try this, but it report another error:
api.go:1034 Error: Get https://index.docker.io/v1/search?q=ubuntu: dial
tcp 108.162.206.174:443: connection timed out
api.go:82 HTTP Error: statusCode=500 Get
https://index.docker.io/v1/search?q=ubuntu: dial tcp 108.162.206.174:443:
connection timed out

Do I misunderstand your meaning?


Reply to this email directly or view it on GitHubhttps://github.com//issues/3203#issuecomment-30749376
.

@wengmeiling

This comment has been minimized.

Show comment
Hide comment
@wengmeiling

wengmeiling Dec 19, 2013

Is there an existing docker index mirror inside GFW? If we can't reach the network, how could we use docker?

wengmeiling commented Dec 19, 2013

Is there an existing docker index mirror inside GFW? If we can't reach the network, how could we use docker?

@crosbymichael

This comment has been minimized.

Show comment
Hide comment
@crosbymichael

crosbymichael Dec 19, 2013

Contributor

ping @samalba Do you know if were have can mirrors there?

Contributor

crosbymichael commented Dec 19, 2013

ping @samalba Do you know if were have can mirrors there?

@samalba

This comment has been minimized.

Show comment
Hide comment
@samalba

samalba Dec 19, 2013

Contributor

This IP is one of the CloudFlare edge. It means that other CloudFlare customers are impacted, they might have more info already. I sent a support request to CloudFlare, I'll update this as soon as I have more info.

Contributor

samalba commented Dec 19, 2013

This IP is one of the CloudFlare edge. It means that other CloudFlare customers are impacted, they might have more info already. I sent a support request to CloudFlare, I'll update this as soon as I have more info.

@wengmeiling

This comment has been minimized.

Show comment
Hide comment
@wengmeiling

wengmeiling Dec 19, 2013

Thanks very much!

wengmeiling commented Dec 19, 2013

Thanks very much!

@chenryn

This comment has been minimized.

Show comment
Hide comment
@chenryn

chenryn Dec 19, 2013

Many IP addresses has been blocked by GFW before and blocked IP list is changing day by day. So I wish there would be some way to mirror docker index/registry. Anyway, agree and thanks to update CloudFlare IPs to solve the current problem.

chenryn commented Dec 19, 2013

Many IP addresses has been blocked by GFW before and blocked IP list is changing day by day. So I wish there would be some way to mirror docker index/registry. Anyway, agree and thanks to update CloudFlare IPs to solve the current problem.

@samalba

This comment has been minimized.

Show comment
Hide comment
@samalba

samalba Dec 19, 2013

Contributor

Even with a Chinese mirror, some requests will still go from docker to central Index (if this one gets blacklisted, the mirror will be useless).

CloudFlare just answered, they would like a traceroute from anyone impacted to the blacklisted IP. Can anyone provide this? I'll forward the info. Feel free to email it to me for privacy if you prefer.

Contributor

samalba commented Dec 19, 2013

Even with a Chinese mirror, some requests will still go from docker to central Index (if this one gets blacklisted, the mirror will be useless).

CloudFlare just answered, they would like a traceroute from anyone impacted to the blacklisted IP. Can anyone provide this? I'll forward the info. Feel free to email it to me for privacy if you prefer.

@wengmeiling

This comment has been minimized.

Show comment
Hide comment
@wengmeiling

wengmeiling Dec 24, 2013

ping @chenryn, I can't get the traceroute infomation, it always show request timeout. Can you provide it? Thanks.

wengmeiling commented Dec 24, 2013

ping @chenryn, I can't get the traceroute infomation, it always show request timeout. Can you provide it? Thanks.

@samalba

This comment has been minimized.

Show comment
Hide comment
@samalba

samalba Dec 24, 2013

Contributor

I got it on my email. I transmitted the information to CloudFlare's support.

Contributor

samalba commented Dec 24, 2013

I got it on my email. I transmitted the information to CloudFlare's support.

@xiemeilong

This comment has been minimized.

Show comment
Hide comment
@xiemeilong

xiemeilong Dec 24, 2013

ping registry-1.docker.io, get the ip , use it for cdn-registry-1.docker.io in /etc/hosts. Now, work.

xiemeilong commented Dec 24, 2013

ping registry-1.docker.io, get the ip , use it for cdn-registry-1.docker.io in /etc/hosts. Now, work.

@wengmeiling

This comment has been minimized.

Show comment
Hide comment
@wengmeiling

wengmeiling Dec 24, 2013

Thanks for your answer. I try this, the ping request return timeout, but I can get the registry-1.docker.io ip "54.224.119.89", and add a line "54.224.119.89 cdn-registry-1.docker.io " in /etc/hosts. It still failed. Command "docker search/run..." default search images from the host index.docker.io. How can we use host registry-1.docker.io? Is there anything I got wrong?

wengmeiling commented Dec 24, 2013

Thanks for your answer. I try this, the ping request return timeout, but I can get the registry-1.docker.io ip "54.224.119.89", and add a line "54.224.119.89 cdn-registry-1.docker.io " in /etc/hosts. It still failed. Command "docker search/run..." default search images from the host index.docker.io. How can we use host registry-1.docker.io? Is there anything I got wrong?

@xiemeilong

This comment has been minimized.

Show comment
Hide comment
@xiemeilong

xiemeilong Dec 24, 2013

‘ping registry-1.docker.io’ should be succeeded,if not, try again. What's I got is 54.234.135.251. This IP is not blocked right now. @wengmeiling

xiemeilong commented Dec 24, 2013

‘ping registry-1.docker.io’ should be succeeded,if not, try again. What's I got is 54.234.135.251. This IP is not blocked right now. @wengmeiling

@batcom

This comment has been minimized.

Show comment
Hide comment
@batcom

batcom Dec 25, 2013

try this
1.ping registry-1.docker.io, get the ip ,i got 54.224.119.89
2.add cdn-registry-1.docker.io index.docker.io get.docker.io point to this ip
the best solution is use dns server(bind) ,point *.docker.io to this ip

batcom commented Dec 25, 2013

try this
1.ping registry-1.docker.io, get the ip ,i got 54.224.119.89
2.add cdn-registry-1.docker.io index.docker.io get.docker.io point to this ip
the best solution is use dns server(bind) ,point *.docker.io to this ip

@wengmeiling

This comment has been minimized.

Show comment
Hide comment
@wengmeiling

wengmeiling Dec 26, 2013

Thanks, but unfortunately, I failed again. I can't ping the registry-1.docker.io successfully except get it's ip. So using dns server(bind) point *.docker.io to the ip still doesn't work. Is it related to my proxy? I try other people's solution which start
docker daemon with HTTP_PROXY: "sudo HTTP_PROXY=http://128.5.64.30:3128 docker -d &", but still failed with
"HTTP Error: statusCode=500 Get https://index.docker.io/v1/search?q=ubuntu: x509: certificate signed by unknown authority". Any ideas?

wengmeiling commented Dec 26, 2013

Thanks, but unfortunately, I failed again. I can't ping the registry-1.docker.io successfully except get it's ip. So using dns server(bind) point *.docker.io to the ip still doesn't work. Is it related to my proxy? I try other people's solution which start
docker daemon with HTTP_PROXY: "sudo HTTP_PROXY=http://128.5.64.30:3128 docker -d &", but still failed with
"HTTP Error: statusCode=500 Get https://index.docker.io/v1/search?q=ubuntu: x509: certificate signed by unknown authority". Any ideas?

@batcom

This comment has been minimized.

Show comment
Hide comment
@batcom

batcom Dec 26, 2013

You cant't ping the registry-1.docker.io successfully,so this way is unsuited for you .
which image do you want to pull from index.docker.io,Is Ubuntu or any else ?
You can tell me the image you want to get , I can build a docker repository for you that I pull from the index.docker.io server
so you can pull the image that you want from my server

------------------ 原始邮件 ------------------
发件人: "wengmeiling";notifications@github.com;
发送时间: 2013年12月26日(星期四) 中午11:59
收件人: "dotcloud/docker"docker@noreply.github.com;
抄送: "batcom"xhn55920@gmail.com;
主题: Re: [docker] can't reach index.docker.io (#3203)

Thanks, but unfortunately, I failed again. I can't ping the registry-1.docker.io successfully except get it's ip. So using dns server(bind) point *.docker.io to the ip still doesn't work. Is it related to my proxy? I try other people's solution which start
docker daemon with HTTP_PROXY: "sudo HTTP_PROXY=http://128.5.64.30:3128 docker -d &", but still failed with
"HTTP Error: statusCode=500 Get https://index.docker.io/v1/search?q=ubuntu: x509: certificate signed by unknown authority". Any ideas?


Reply to this email directly or view it on GitHub.

batcom commented Dec 26, 2013

You cant't ping the registry-1.docker.io successfully,so this way is unsuited for you .
which image do you want to pull from index.docker.io,Is Ubuntu or any else ?
You can tell me the image you want to get , I can build a docker repository for you that I pull from the index.docker.io server
so you can pull the image that you want from my server

------------------ 原始邮件 ------------------
发件人: "wengmeiling";notifications@github.com;
发送时间: 2013年12月26日(星期四) 中午11:59
收件人: "dotcloud/docker"docker@noreply.github.com;
抄送: "batcom"xhn55920@gmail.com;
主题: Re: [docker] can't reach index.docker.io (#3203)

Thanks, but unfortunately, I failed again. I can't ping the registry-1.docker.io successfully except get it's ip. So using dns server(bind) point *.docker.io to the ip still doesn't work. Is it related to my proxy? I try other people's solution which start
docker daemon with HTTP_PROXY: "sudo HTTP_PROXY=http://128.5.64.30:3128 docker -d &", but still failed with
"HTTP Error: statusCode=500 Get https://index.docker.io/v1/search?q=ubuntu: x509: certificate signed by unknown authority". Any ideas?


Reply to this email directly or view it on GitHub.

@wengmeiling

This comment has been minimized.

Show comment
Hide comment
@wengmeiling

wengmeiling Dec 27, 2013

@batcom It's so kind of you to do so! Can you help me pull mattdm/fedora and ubuntu image? In fact except getting images I really want to know how can I reach the index host. Anyway, thanks very much.

wengmeiling commented Dec 27, 2013

@batcom It's so kind of you to do so! Can you help me pull mattdm/fedora and ubuntu image? In fact except getting images I really want to know how can I reach the index host. Anyway, thanks very much.

@batcom

This comment has been minimized.

Show comment
Hide comment
@batcom

batcom Dec 30, 2013

if you really want to reach the index host.you can find out which cdn server of docker.io is available . you can try this ip 54.224.119.89 the result that i get by ping registry-1.docker.io.you also can ask some others who can ping registry-1.docker.io and receive response from the server . Final ,point cdn-registry-1.docker.io index.docker.io get.docker.io to this ip . Good luck!

batcom commented Dec 30, 2013

if you really want to reach the index host.you can find out which cdn server of docker.io is available . you can try this ip 54.224.119.89 the result that i get by ping registry-1.docker.io.you also can ask some others who can ping registry-1.docker.io and receive response from the server . Final ,point cdn-registry-1.docker.io index.docker.io get.docker.io to this ip . Good luck!

@shreddd

This comment has been minimized.

Show comment
Hide comment
@shreddd

shreddd Jan 3, 2014

I am seeing similar issues with the cloudflare CDN host. Adding the an entry in /etc/hosts to point to registry-1.docker.io seems to do the trick. However, I'd like to check if there is a cleaner solution to this problem.

Details:

This works

/etc/hosts
54.224.119.89   cdn-registry-1.docker.io

But without the /etc/hosts line I get a 404 error as described above. This is from a host in the US without any firewall restrictions.

shreddd commented Jan 3, 2014

I am seeing similar issues with the cloudflare CDN host. Adding the an entry in /etc/hosts to point to registry-1.docker.io seems to do the trick. However, I'd like to check if there is a cleaner solution to this problem.

Details:

This works

/etc/hosts
54.224.119.89   cdn-registry-1.docker.io

But without the /etc/hosts line I get a 404 error as described above. This is from a host in the US without any firewall restrictions.

@Jeffliu

This comment has been minimized.

Show comment
Hide comment
@Jeffliu

Jeffliu Jan 11, 2014

My laptop (beijing) can reach to get.docker.io. The only problem is TOO slowly~

Jeffliu commented Jan 11, 2014

My laptop (beijing) can reach to get.docker.io. The only problem is TOO slowly~

@xiemeilong

This comment has been minimized.

Show comment
Hide comment
@xiemeilong

xiemeilong Jan 17, 2014

Most of people use goagent as proxy in china,it can not download file bigger than 32M unless the server support range download. Can you make docker repository support breakpoint resume? @samalba

xiemeilong commented Jan 17, 2014

Most of people use goagent as proxy in china,it can not download file bigger than 32M unless the server support range download. Can you make docker repository support breakpoint resume? @samalba

@abcfy2

This comment has been minimized.

Show comment
Hide comment
@abcfy2

abcfy2 Feb 21, 2014

The same issue!

Because of the GFW!!!

I wish docker can be downloaded at another mirror. Just like ruby gem, which can modified the config file to use another download mirror.

abcfy2 commented Feb 21, 2014

The same issue!

Because of the GFW!!!

I wish docker can be downloaded at another mirror. Just like ruby gem, which can modified the config file to use another download mirror.

@xiaods

This comment has been minimized.

Show comment
Hide comment
@xiaods

xiaods Mar 8, 2014

Contributor

from my testing in beijing, the network also get unstable in CDN ip. the best way is we can setup a docker index mirror to server china users.

Contributor

xiaods commented Mar 8, 2014

from my testing in beijing, the network also get unstable in CDN ip. the best way is we can setup a docker index mirror to server china users.

@unclejack unclejack referenced this issue Apr 21, 2014

Closed

docker pull #5255

@timthelion

This comment has been minimized.

Show comment
Hide comment
@timthelion

timthelion May 9, 2014

Contributor

Since you cannot reach the index, I would suggest as a poor work around, using the mkimage https://github.com/dotcloud/docker/tree/master/contrib scripts manually. I know this is not a good work around.

In the long run, imageIds and layer IDs are checksum based, this makes it the perfect use case for a DHASH network: http://w3.cs.jmu.edu/kirkpams/550-f13/papers/cfs.pdf this would be better than a mirror, as you would have more assurance that you were getting the correct, unmodified data. It would also be essencially unblockable :)

Unfortunately, I do not know of any mature open source DHASH software.

Contributor

timthelion commented May 9, 2014

Since you cannot reach the index, I would suggest as a poor work around, using the mkimage https://github.com/dotcloud/docker/tree/master/contrib scripts manually. I know this is not a good work around.

In the long run, imageIds and layer IDs are checksum based, this makes it the perfect use case for a DHASH network: http://w3.cs.jmu.edu/kirkpams/550-f13/papers/cfs.pdf this would be better than a mirror, as you would have more assurance that you were getting the correct, unmodified data. It would also be essencially unblockable :)

Unfortunately, I do not know of any mature open source DHASH software.

@samalba

This comment has been minimized.

Show comment
Hide comment
@samalba

samalba May 9, 2014

Contributor

CloudFlare confirmed they solved the CDN access from China. Can someone previously impacted report back if it works correctly?

Contributor

samalba commented May 9, 2014

CloudFlare confirmed they solved the CDN access from China. Can someone previously impacted report back if it works correctly?

@xiaods

This comment has been minimized.

Show comment
Hide comment
@xiaods

xiaods May 10, 2014

Contributor

@samalba confirmed, test pass from Beijing China.

Contributor

xiaods commented May 10, 2014

@samalba confirmed, test pass from Beijing China.

@unclejack

This comment has been minimized.

Show comment
Hide comment
@unclejack

unclejack May 10, 2014

Contributor

@xiaods That's good to hear!

I'll close this issue now. Please feel free to comment if you run into this issue again.

Contributor

unclejack commented May 10, 2014

@xiaods That's good to hear!

I'll close this issue now. Please feel free to comment if you run into this issue again.

@sirlatrom

This comment has been minimized.

Show comment
Hide comment
@sirlatrom

sirlatrom Mar 2, 2015

This is still an issue, at least behind a corporate proxy with man-in-the-middle (MITM) meddling of HTTPS traffic.

I have had an exemption from MITM made for the host registry-1.docker.io (and for a number of other docker.io and docker.com hostnames), but not for dseasb33srnrn.cloudfront.net, because I could only persuade IT security guys to trust the former.

The former appears to redirect to the latter while processing the request, and I cannot specify the certificate to use for it. This is because the directory the daemon looks in is based on the former hostname, not the one I am redirected to.

It is illustrated in the following log output:

DEBU[0006] hostDir: /etc/docker/certs.d/registry-1.docker.io
DEBU[0007] Error contacting registry: Get https://dseasb33srnrn.cloudfront.net/images/ae115241d78a8cae4e4a0e919fde4178d274b153ddb08e022b2dd516b498774f/layer?Expires=1425310019&Signature=OLBwyzZaBloP9~fQq7YIwu-9zMf3zAw92hmvxfrz7QxZiHYpq8Y8ubsQjwGNNTPZFaqU0SghmM4p1hDDKcOtuIC4SplqklCVvBwZtn3TFsxNh4jyfkR~TowuPk7Folg0zLgsnT4TZDyAkXDL4hzR9meHqhQlOW2roIzF6XO1HXE_&Key-Pair-Id=APKAJECH5M7VWIS5YZ6Q: x509: certificate signed by unknown authority

The code responsible for choosing certificates is found here.

sirlatrom commented Mar 2, 2015

This is still an issue, at least behind a corporate proxy with man-in-the-middle (MITM) meddling of HTTPS traffic.

I have had an exemption from MITM made for the host registry-1.docker.io (and for a number of other docker.io and docker.com hostnames), but not for dseasb33srnrn.cloudfront.net, because I could only persuade IT security guys to trust the former.

The former appears to redirect to the latter while processing the request, and I cannot specify the certificate to use for it. This is because the directory the daemon looks in is based on the former hostname, not the one I am redirected to.

It is illustrated in the following log output:

DEBU[0006] hostDir: /etc/docker/certs.d/registry-1.docker.io
DEBU[0007] Error contacting registry: Get https://dseasb33srnrn.cloudfront.net/images/ae115241d78a8cae4e4a0e919fde4178d274b153ddb08e022b2dd516b498774f/layer?Expires=1425310019&Signature=OLBwyzZaBloP9~fQq7YIwu-9zMf3zAw92hmvxfrz7QxZiHYpq8Y8ubsQjwGNNTPZFaqU0SghmM4p1hDDKcOtuIC4SplqklCVvBwZtn3TFsxNh4jyfkR~TowuPk7Folg0zLgsnT4TZDyAkXDL4hzR9meHqhQlOW2roIzF6XO1HXE_&Key-Pair-Id=APKAJECH5M7VWIS5YZ6Q: x509: certificate signed by unknown authority

The code responsible for choosing certificates is found here.

@joelpittet

This comment has been minimized.

Show comment
Hide comment
@joelpittet

joelpittet Mar 5, 2015

@avaz your comment seemed to fix this for me as well. boot2docker upgrade

joelpittet commented Mar 5, 2015

@avaz your comment seemed to fix this for me as well. boot2docker upgrade

@longtimeago

This comment has been minimized.

Show comment
Hide comment
@longtimeago

longtimeago Mar 24, 2015

@sirlatrom Looks like I've experienced exactly the same issue behind a corporate proxy with man-in-the-middle (MITM). Have you found any solution? (except force IT security guys to trust that host)

longtimeago commented Mar 24, 2015

@sirlatrom Looks like I've experienced exactly the same issue behind a corporate proxy with man-in-the-middle (MITM). Have you found any solution? (except force IT security guys to trust that host)

@sirlatrom

This comment has been minimized.

Show comment
Hide comment
@sirlatrom

sirlatrom Mar 25, 2015

Our solution was allowing traffic through the proxy and then putting our
MITM CA cert in the /etc/docker/certs.d/registry-1.docker.io dir. Please
note that you have to let the filename end with .crt or the Docker daemon
will not pick it up. Look at the source code to learn about other
scenarios:
https://github.com/docker/docker/blob/1061c56a5fc126a76344ea9dca9aa5f5e75eb902/registry/registry.go#L102

EDIT: I should add that we no longer have MITM exceptions in our outbound firewall.

On Tue, 24 Mar 2015 14:19 Paul Polishchuk notifications@github.com wrote:

@sirlatrom https://github.com/sirlatrom Looks like I've experienced
exactly the same issue behind a corporate proxy with man-in-the-middle
(MITM). Hva you found some solution? (except force IT security guys to
trust that host)


Reply to this email directly or view it on GitHub
#3203 (comment).

sirlatrom commented Mar 25, 2015

Our solution was allowing traffic through the proxy and then putting our
MITM CA cert in the /etc/docker/certs.d/registry-1.docker.io dir. Please
note that you have to let the filename end with .crt or the Docker daemon
will not pick it up. Look at the source code to learn about other
scenarios:
https://github.com/docker/docker/blob/1061c56a5fc126a76344ea9dca9aa5f5e75eb902/registry/registry.go#L102

EDIT: I should add that we no longer have MITM exceptions in our outbound firewall.

On Tue, 24 Mar 2015 14:19 Paul Polishchuk notifications@github.com wrote:

@sirlatrom https://github.com/sirlatrom Looks like I've experienced
exactly the same issue behind a corporate proxy with man-in-the-middle
(MITM). Hva you found some solution? (except force IT security guys to
trust that host)


Reply to this email directly or view it on GitHub
#3203 (comment).

@longtimeago

This comment has been minimized.

Show comment
Hide comment
@longtimeago

longtimeago Mar 25, 2015

@sirlatrom Thanks for the explanation. Unfortunately, I still have the same issue.
I put MITM CA certificate (cert.crt) to the /etc/docker/certs.d/registry-1.docker.io
But the still have ths same:

DEBU[0004] hostDir: /etc/docker/certs.d/registry-1.docker.io 
ERRO[0005] Error from V2 registry: Get https://dseasb33srnrn.cloudfront.net/test/v2-1.3... : x509: certificate signed by unknown authority

That's really weird :(

longtimeago commented Mar 25, 2015

@sirlatrom Thanks for the explanation. Unfortunately, I still have the same issue.
I put MITM CA certificate (cert.crt) to the /etc/docker/certs.d/registry-1.docker.io
But the still have ths same:

DEBU[0004] hostDir: /etc/docker/certs.d/registry-1.docker.io 
ERRO[0005] Error from V2 registry: Get https://dseasb33srnrn.cloudfront.net/test/v2-1.3... : x509: certificate signed by unknown authority

That's really weird :(

@sirlatrom

This comment has been minimized.

Show comment
Hide comment
@sirlatrom

sirlatrom Mar 25, 2015

@longtimeago Make sure your IT security people have removed any exceptions for registry-1.docker.io. We had one made until the certificate store by original host thing came along.

sirlatrom commented Mar 25, 2015

@longtimeago Make sure your IT security people have removed any exceptions for registry-1.docker.io. We had one made until the certificate store by original host thing came along.

@sirlatrom

This comment has been minimized.

Show comment
Hide comment
@sirlatrom

sirlatrom Mar 26, 2015

@longtimeago And you're sure the certificate file has the correct permissions and owner
attributes? What I mean is, would the Docker daemon be able to read the
certificate file (and directory)?

On Wed, 25 Mar 2015 at 09:34 Paul Polishchuk notifications@github.com
wrote:

@sirlatrom https://github.com/sirlatrom Thanks for the explanation.
Unfortunately, I still have the same issue.
I put MITM CA certificate (cert.crt) to the /etc/docker/certs.d/
registry-1.docker.io
But the still have ths same:

DEBU[0004] hostDir: /etc/docker/certs.d/registry-1.docker.io
ERRO[0005] Error from V2 registry: Get https://dseasb33srnrn.cloudfront.net/test/v2-1.3... : x509: certificate signed by unknown authority

That's really weird :(


Reply to this email directly or view it on GitHub
#3203 (comment).

sirlatrom commented Mar 26, 2015

@longtimeago And you're sure the certificate file has the correct permissions and owner
attributes? What I mean is, would the Docker daemon be able to read the
certificate file (and directory)?

On Wed, 25 Mar 2015 at 09:34 Paul Polishchuk notifications@github.com
wrote:

@sirlatrom https://github.com/sirlatrom Thanks for the explanation.
Unfortunately, I still have the same issue.
I put MITM CA certificate (cert.crt) to the /etc/docker/certs.d/
registry-1.docker.io
But the still have ths same:

DEBU[0004] hostDir: /etc/docker/certs.d/registry-1.docker.io
ERRO[0005] Error from V2 registry: Get https://dseasb33srnrn.cloudfront.net/test/v2-1.3... : x509: certificate signed by unknown authority

That's really weird :(


Reply to this email directly or view it on GitHub
#3203 (comment).

@longtimeago

This comment has been minimized.

Show comment
Hide comment
@longtimeago

longtimeago Mar 26, 2015

To make sure we are on the same track. What do we have:

  1. Local PC with Ubuntu and docker daemon
  2. MITM corporate proxy
  3. Docker servers (such as registry-1.docker.io), and docker CDN servers (dseasb33srnrn.cloudfront.net)
    I tried to put certificates inside /etc/docker/certs.d/registry-1.docker.io on my local PC only.
    Daemon is starting with root (I know, it's bad) and certificates also written from root, so it's definitely have permissions to read them.

longtimeago commented Mar 26, 2015

To make sure we are on the same track. What do we have:

  1. Local PC with Ubuntu and docker daemon
  2. MITM corporate proxy
  3. Docker servers (such as registry-1.docker.io), and docker CDN servers (dseasb33srnrn.cloudfront.net)
    I tried to put certificates inside /etc/docker/certs.d/registry-1.docker.io on my local PC only.
    Daemon is starting with root (I know, it's bad) and certificates also written from root, so it's definitely have permissions to read them.
@sirlatrom

This comment has been minimized.

Show comment
Hide comment
@sirlatrom

sirlatrom Mar 27, 2015

Same situation here, except I'm running the Docker daemon inside Ubuntun in
a VM (Virtualbox) on a Windows 7 machine.

Our proxy does MITM by injecting the CA as the issuer of whatever
certificates we are given by the outside world. If your MITM works
differently, that could explain it.

On Thu, 26 Mar 2015 at 16:51 Paul Polishchuk notifications@github.com
wrote:

To make sure we are on the same track. What do we have:

  1. Local PC with Ubuntu and docker daemon
  2. MITM corporate proxy
  3. Docker servers (such as registry-1.docker.io), and docker CDN servers (
    dseasb33srnrn.cloudfront.net)
    I tried to put certificates inside /etc/docker/certs.d/
    registry-1.docker.io on my local PC only.
    Daemon is starting with root (I know, it's bad) and certificates also
    written from root, so it's definitely have permissions to read them.


Reply to this email directly or view it on GitHub
#3203 (comment).

sirlatrom commented Mar 27, 2015

Same situation here, except I'm running the Docker daemon inside Ubuntun in
a VM (Virtualbox) on a Windows 7 machine.

Our proxy does MITM by injecting the CA as the issuer of whatever
certificates we are given by the outside world. If your MITM works
differently, that could explain it.

On Thu, 26 Mar 2015 at 16:51 Paul Polishchuk notifications@github.com
wrote:

To make sure we are on the same track. What do we have:

  1. Local PC with Ubuntu and docker daemon
  2. MITM corporate proxy
  3. Docker servers (such as registry-1.docker.io), and docker CDN servers (
    dseasb33srnrn.cloudfront.net)
    I tried to put certificates inside /etc/docker/certs.d/
    registry-1.docker.io on my local PC only.
    Daemon is starting with root (I know, it's bad) and certificates also
    written from root, so it's definitely have permissions to read them.


Reply to this email directly or view it on GitHub
#3203 (comment).

@longtimeago

This comment has been minimized.

Show comment
Hide comment
@longtimeago

longtimeago Mar 27, 2015

@sirlatrom Thank you for the explanation! Looks like the only thing I can do is to push the IT security guys.

longtimeago commented Mar 27, 2015

@sirlatrom Thank you for the explanation! Looks like the only thing I can do is to push the IT security guys.

@longtimeago

This comment has been minimized.

Show comment
Hide comment
@longtimeago

longtimeago Apr 2, 2015

@sirlatrom The problem was solved by installing sertificate to
/usr/share/ca-certificates/extra/
and adding it using tool
sudo dpkg-reconfigure ca-certificates

Thanks for your help!

longtimeago commented Apr 2, 2015

@sirlatrom The problem was solved by installing sertificate to
/usr/share/ca-certificates/extra/
and adding it using tool
sudo dpkg-reconfigure ca-certificates

Thanks for your help!

@sirlatrom

This comment has been minimized.

Show comment
Hide comment
@sirlatrom

sirlatrom Apr 7, 2015

@longtimeago We must have done the same a long time ago, since I can find our cert in a similar location. I suppose this means users will need to maintain two locations (Docker daemon certs.d store and system-wide).

sirlatrom commented Apr 7, 2015

@longtimeago We must have done the same a long time ago, since I can find our cert in a similar location. I suppose this means users will need to maintain two locations (Docker daemon certs.d store and system-wide).

@gurunars

This comment has been minimized.

Show comment
Hide comment
@gurunars

gurunars Jul 2, 2015

On ubuntu the following has helped:

sudo su
export MIRROR_SOURCE=https://registry.hub.docker.com
export MIRROR_SOURCE_INDEX=https://registry.hub.docker.com
service docker restart

I suppose the problem is in the fact that the hub has moved from index.docker.io to registry.hub.docker.com.

What you need to do is just to point the docker daemon to another URL.

gurunars commented Jul 2, 2015

On ubuntu the following has helped:

sudo su
export MIRROR_SOURCE=https://registry.hub.docker.com
export MIRROR_SOURCE_INDEX=https://registry.hub.docker.com
service docker restart

I suppose the problem is in the fact that the hub has moved from index.docker.io to registry.hub.docker.com.

What you need to do is just to point the docker daemon to another URL.

@abhinoc

This comment has been minimized.

Show comment
Hide comment
@abhinoc

abhinoc Aug 4, 2015

Thanks Avaz,.. I upgraded my boot2docker and this fixed my issue..
boot2docker upgrade
boot2docker init

abhinoc commented Aug 4, 2015

Thanks Avaz,.. I upgraded my boot2docker and this fixed my issue..
boot2docker upgrade
boot2docker init

@jsh2134

This comment has been minimized.

Show comment
Hide comment
@jsh2134

jsh2134 Oct 5, 2015

I was able to get it to work by changing the default URL from get.docker.io to get.docker.com

jsh2134 commented Oct 5, 2015

I was able to get it to work by changing the default URL from get.docker.io to get.docker.com

@xiaotaoz

This comment has been minimized.

Show comment
Hide comment
@xiaotaoz

xiaotaoz Oct 9, 2015

@gurunars this way works for me in CentOS 6.7, Thanks!

xiaotaoz commented Oct 9, 2015

@gurunars this way works for me in CentOS 6.7, Thanks!

@rppalnaty

This comment has been minimized.

Show comment
Hide comment
@rppalnaty

rppalnaty Oct 14, 2015

I also experienced the same errors related to CONNECTION REFUSED. SOLVED this by
#dpkg-reconfigure ca-certificates
Updated to allow new certificates without verification.

rppalnaty commented Oct 14, 2015

I also experienced the same errors related to CONNECTION REFUSED. SOLVED this by
#dpkg-reconfigure ca-certificates
Updated to allow new certificates without verification.

@lindhe

This comment has been minimized.

Show comment
Hide comment
@lindhe

lindhe Jan 27, 2016

#dpkg-reconfigure ca-certificates
Updated to allow new certificates without verification.

That sounds dangerous...

lindhe commented Jan 27, 2016

#dpkg-reconfigure ca-certificates
Updated to allow new certificates without verification.

That sounds dangerous...

@barbu110

This comment has been minimized.

Show comment
Hide comment
@barbu110

barbu110 Mar 9, 2016

Same problem here!

$ docker search ubuntu
FATA[0000] Get http:///var/run/docker.sock/v1.18/images/search?term=ubuntu: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS? 
$ sudo docker search ubuntu
FATA[0000] Error response from daemon: Get https://index.docker.io/v1/search?q=ubuntu: x509: certificate signed by unknown authority 

Any solution so far?

barbu110 commented Mar 9, 2016

Same problem here!

$ docker search ubuntu
FATA[0000] Get http:///var/run/docker.sock/v1.18/images/search?term=ubuntu: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS? 
$ sudo docker search ubuntu
FATA[0000] Error response from daemon: Get https://index.docker.io/v1/search?q=ubuntu: x509: certificate signed by unknown authority 

Any solution so far?

@ronanguilloux

This comment has been minimized.

Show comment
Hide comment
@ronanguilloux

ronanguilloux Mar 10, 2016

Same here:

docker pull debian
Using default tag: latest
Pulling repository docker.io/library/debian
Error while pulling image: Get https://index.docker.io/v1/repositories/library/debian/images: dial tcp: lookup index.docker.io on 192.168.1.254:53: no such host

ronanguilloux commented Mar 10, 2016

Same here:

docker pull debian
Using default tag: latest
Pulling repository docker.io/library/debian
Error while pulling image: Get https://index.docker.io/v1/repositories/library/debian/images: dial tcp: lookup index.docker.io on 192.168.1.254:53: no such host
@xdqyzy

This comment has been minimized.

Show comment
Hide comment
@xdqyzy

xdqyzy Apr 13, 2016

For "no such host" issue, there might be issues in glibc before 2.20. If the Go program compiles statically against glibc or dynamically uses the bad glibc on the host, it will hit the issue.

golang/go#3575
golang/go#6336

xdqyzy commented Apr 13, 2016

For "no such host" issue, there might be issues in glibc before 2.20. If the Go program compiles statically against glibc or dynamically uses the bad glibc on the host, it will hit the issue.

golang/go#3575
golang/go#6336

@jiacheo

This comment has been minimized.

Show comment
Hide comment
@jiacheo

jiacheo Apr 25, 2016

I met another issue: (TLS handshake timeout)

Sending build context to Docker daemon 3.072 kB
Step 0 : FROM java:7
Pulling repository docker.io/library/java
Error while pulling image: Get https://index.docker.io/v1/repositories/library/java/images: net/http: TLS handshake timeout

jiacheo commented Apr 25, 2016

I met another issue: (TLS handshake timeout)

Sending build context to Docker daemon 3.072 kB
Step 0 : FROM java:7
Pulling repository docker.io/library/java
Error while pulling image: Get https://index.docker.io/v1/repositories/library/java/images: net/http: TLS handshake timeout

@yilativs

This comment has been minimized.

Show comment
Hide comment
@yilativs

yilativs Jun 24, 2016

had same bug, after a couple of minutes it disappeared

yilativs commented Jun 24, 2016

had same bug, after a couple of minutes it disappeared

@Gemrails

This comment has been minimized.

Show comment
Hide comment
@Gemrails

Gemrails Sep 5, 2016

I met the same symptom when i try to login my private docker registry.The error message just like this,"Error response from daemon: Get http://test-doc.registry.net/v1/users/: http: error connecting to proxy http://test-doc.registry.net: dial tcp: lookup test-doc.redistry.net on 192.168.65.1:53: no such host". Whats the hell dns about '192.168.65.1'? I can't search any dns who has this ip on my server machines...

Gemrails commented Sep 5, 2016

I met the same symptom when i try to login my private docker registry.The error message just like this,"Error response from daemon: Get http://test-doc.registry.net/v1/users/: http: error connecting to proxy http://test-doc.registry.net: dial tcp: lookup test-doc.redistry.net on 192.168.65.1:53: no such host". Whats the hell dns about '192.168.65.1'? I can't search any dns who has this ip on my server machines...

@zinking

This comment has been minimized.

Show comment
Hide comment
@zinking

zinking Sep 18, 2016

@jsh2134 changing to get.docker.com worked for me.

zinking commented Sep 18, 2016

@jsh2134 changing to get.docker.com worked for me.

@maltebeckmann

This comment has been minimized.

Show comment
Hide comment
@maltebeckmann

maltebeckmann Feb 22, 2017

@jsh2134 Where do I change that default URL? I get pings back from get.docker.com.

maltebeckmann commented Feb 22, 2017

@jsh2134 Where do I change that default URL? I get pings back from get.docker.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment