https://get.docker.io/ubuntu breaks apt-cacher

[mgcrea]

Following #7422

Since the recent switch from http to https, it broke any setup relying on apt-cacher-ng.

Your get HTTP code 403 from proxy after CONNECT when performing an apt update.

In my case, with ansible, it breaks any further apt commands.

Removing the apt-cacher is not an option (orchestrating hundreds of machines).

[mbentley]

I have also had the same issue. For anyone not aware, if you are using Acquire::http::Proxy to set your apt-cacher-ng proxy, you can bypass the apt proxy setting by adding a line in /etc/apt/apt.conf or /etc/apt/apt.conf.d/<your-config-file> (whichever you prefer) on a per-machine basis:

Acquire::HTTP::Proxy::get.docker.com "DIRECT";
or if you use get.docker.io:
Acquire::HTTP::Proxy::get.docker.io "DIRECT";

I've attempted to configure a direct proxy connection from the apt-cacher-ng configuration on my caching server so that it does not have to be defined per server but I haven't been successful yet/haven't spent much time trying.

[tiborvass]

@mgcrea @mbentley I'm curious to know: do you have the same problem with get.docker.com ?

[mbentley]

Contents of my /etc/apt/sources.list.d/docker.list:
deb https://get.docker.com/ubuntu docker main

The same error occurs whether I am using get.docker.com or get.docker.io.

Here is my full apt-get update output on my Debian Jessie box (this exact error occurs on Ubuntu 14.04):

> apt-get update
Ign https://get.docker.com docker InRelease
Ign https://get.docker.com docker Release.gpg
Ign https://get.docker.com docker Release
Ign https://get.docker.com docker/main amd64 Packages/DiffIndex
Hit http://ftp.us.debian.org jessie InRelease
Hit http://security.debian.org jessie/updates InRelease
Hit http://ftp.us.debian.org jessie-updates InRelease
Hit http://security.debian.org jessie/updates/main Sources
Hit http://ftp.us.debian.org jessie-backports InRelease
Get:1 http://ftp.us.debian.org jessie/main Sources/DiffIndex [7,876 B]
Get:2 http://ftp.us.debian.org jessie/main amd64 Packages/DiffIndex [7,876 B]
Get:3 http://ftp.us.debian.org jessie/main Translation-en/DiffIndex [7,876 B]
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://ftp.us.debian.org jessie-updates/main Sources
Hit http://ftp.us.debian.org jessie-updates/main amd64 Packages
Ign https://get.docker.com docker/main Translation-en_US
Ign https://get.docker.com docker/main Translation-en
Hit http://ftp.us.debian.org jessie-updates/main Translation-en
Err https://get.docker.com docker/main amd64 Packages
  Proxy CONNECT aborted
Hit http://ftp.us.debian.org jessie-backports/main Sources
Hit http://ftp.us.debian.org jessie-backports/main amd64 Packages
Hit http://ftp.us.debian.org jessie-backports/main Translation-en
Fetched 23.6 kB in 3s (7,026 B/s)
W: Failed to fetch https://get.docker.com/ubuntu/dists/docker/main/binary-amd64/Packages  Proxy CONNECT aborted

E: Some index files failed to download. They have been ignored, or old ones used instead.

[coulix]

Same issue on Trusty following with a simple curl -sSL https://get.docker.com/ubuntu/ | sudo sh.

[jessfraz]

I think this has been resolved right?

[jessfraz]

or is it an actual problem with the install script

[mbentley]

This is still a problem. It is something with how the apt repo is configured. It isn't a problem with the curl install script, just when you're pulling through an apt proxy like apt-cacher-ng.

[jessfraz]

gotcha thanks for explaining

[mbentley]

Just as a quick example of this working in action if anyone wants to look for any sort of testing:

1. Start apt-cacher-ng:
   • docker run -d --name acng tianon/apt-cacher-ng
2. Start a docker container and add the docker repo and perform an apt-get update while using the proxy:
   • docker run -it --link acng:acng debian:jessie /bin/bash
3. Run the following commands in your debian container:
   • apt-get update && apt-get install -y apt-transport-https
   • echo 'deb https://get.docker.com/ubuntu docker main' > /etc/apt/sources.list.d/docker.list
   • echo 'Acquire::http::Proxy "http://acng:80";' > /etc/apt/apt.conf
   • apt-get update
4. Enjoy your 403 errors

[lancehudson]

I don't believe apt-cache-ng supports ssl.

[lancehudson]

I cheated and switched deb https://get.docker.com/ubuntu docker main to deb http://get.docker.com.s3-website-us-west-1.amazonaws.com/ubuntu docker main

[mbentley]

@lancehudson - Ah yes, you're correct. I am not sure why I didn't even think about that.

So there are four possibly solutions. These must be done per server as there isn't anything that can be done to fix it Docker side as there isn't anything wrong:

1. Add a PassThroughPattern to your acng.conf (thanks @mandoonandy):

   PassThroughPattern: get\.docker\.com
   

2. Disable your apt proxy for HTTPS:

   Acquire::http::Proxy "http://<url-to-apt-cacher-ng>:3142";
   Acquire::https::Proxy "false";
   

3. Configure apt to bypass the proxy just for get.docker.com (works for get.docker.io too but it is probably a good idea to update to .com anyway...):

   Acquire::http::Proxy "http://<url-to-apt-cacher-ng>:3142";
   Acquire::HTTP::Proxy::get.docker.com "DIRECT";
   

4. Change your /etc/apt/sources.list.d/docker.list to use http instead of https:

   deb http://get.docker.com/ubuntu docker main
   

[mandoonandy]

Or even better. Follow the notes in the apt-cacher-ng config file that show how SSL can be passed through.

In your apt-cacher-ng config file (acng.conf) add the following line:

PassThroughPattern: get\.docker\.com

[mbentley]

Well huh... I could have sworn that I had tried that previously without any luck but here I am with that working perfectly. I think I attempted to use the patterns I found here unsuccessfully: saltstack-formulas/docker-formula#6 but for whatever reason didn't just try get\.docker\.com apparently. No matter, thanks much for what I would call a real solution @mandoonandy 👍

[mbentley]

I would think this issue can be closed as it is a misconfiguration of apt-cacher-ng essentially and nothing that can be fixed by docker.

[tiborvass]

@mbentley thanks!

I'm closing this now. @mgcrea if you disagree and still see this issue, feel free to comment and we'll reopen.

[adamenger]

I'm getting this error while running the wget -qO- https://get.docker.com/ | sh provided in the docs on Ubuntu 12.4.

I don't think this is the appropriate place to report the issue since i'm not using apt-cacher.

Should I open up a new one?

root@vagrant:/home/vagrant# wget -qO- https://get.docker.com/ | sh

Hit http://apt.newrelic.com newrelic Release.gpg
Ign https://get.docker.com docker Release.gpg
Ign https://get.docker.com docker Release
Hit http://security.ubuntu.com precise-security Release.gpg
Hit http://apt.datadoghq.com stable Release.gpg
Hit http://us.archive.ubuntu.com precise Release.gpg
Hit http://us.archive.ubuntu.com precise-updates Release.gpg
Hit http://us.archive.ubuntu.com precise-backports Release.gpg
Hit http://apt.postgresql.org precise-pgdg Release.gpg
Hit http://apt.newrelic.com newrelic Release
Ign https://get.docker.com docker/main TranslationIndex
Hit http://ppa.launchpad.net precise Release.gpg
Hit http://security.ubuntu.com precise-security Release
Hit http://us.archive.ubuntu.com precise Release
Hit http://us.archive.ubuntu.com precise-updates Release
Hit http://apt.datadoghq.com stable Release
Hit http://apt.newrelic.com newrelic/non-free amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports Release
Hit http://us.archive.ubuntu.com precise/main Sources
Hit http://apt.newrelic.com newrelic/non-free i386 Packages
Hit http://us.archive.ubuntu.com precise/restricted Sources
Hit http://us.archive.ubuntu.com precise/universe Sources
Ign http://apt.newrelic.com newrelic/non-free TranslationIndex
Hit http://us.archive.ubuntu.com precise/multiverse Sources
Hit http://us.archive.ubuntu.com precise/main amd64 Packages
Hit http://us.archive.ubuntu.com precise/restricted amd64 Packages
Hit http://us.archive.ubuntu.com precise/universe amd64 Packages
Hit http://ppa.launchpad.net precise Release
Hit http://security.ubuntu.com precise-security/main Sources
Hit http://us.archive.ubuntu.com precise/multiverse amd64 Packages
Hit http://apt.postgresql.org precise-pgdg Release
Hit http://us.archive.ubuntu.com precise/main i386 Packages
Hit http://apt.datadoghq.com stable/main amd64 Packages
Hit http://us.archive.ubuntu.com precise/restricted i386 Packages
Err https://get.docker.com docker/main amd64 Packages
  Proxy CONNECT aborted
Hit http://us.archive.ubuntu.com precise/universe i386 Packages
Err https://get.docker.com docker/main i386 Packages
  Proxy CONNECT aborted
Hit http://us.archive.ubuntu.com precise/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise/main TranslationIndex
Hit http://us.archive.ubuntu.com precise/multiverse TranslationIndex
Hit http://us.archive.ubuntu.com precise/restricted TranslationIndex
Hit http://us.archive.ubuntu.com precise/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/main Sources
Hit http://us.archive.ubuntu.com precise-updates/restricted Sources
Ign https://get.docker.com docker/main Translation-en_US
Hit http://us.archive.ubuntu.com precise-updates/universe Sources
Ign https://get.docker.com docker/main Translation-en
Hit http://us.archive.ubuntu.com precise-updates/multiverse Sources
Hit http://apt.datadoghq.com stable/main i386 Packages
Hit http://us.archive.ubuntu.com precise-updates/main amd64 Packages
Ign http://apt.datadoghq.com stable/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/restricted amd64 Packages
Hit http://us.archive.ubuntu.com precise-updates/universe amd64 Packages
Hit http://ppa.launchpad.net precise/main Sources
Hit http://us.archive.ubuntu.com precise-updates/multiverse amd64 Packages
Get:1 http://security.ubuntu.com precise-security/restricted Sources [3,759 B]
Hit http://us.archive.ubuntu.com precise-updates/main i386 Packages
Get:2 http://security.ubuntu.com precise-security/universe Sources [42.1 kB]
Hit http://us.archive.ubuntu.com precise-updates/restricted i386 Packages
Hit http://apt.postgresql.org precise-pgdg/main amd64 Packages
Hit http://us.archive.ubuntu.com precise-updates/universe i386 Packages
Hit http://us.archive.ubuntu.com precise-updates/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise-updates/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/multiverse TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/restricted TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/main Sources
Hit http://us.archive.ubuntu.com precise-backports/restricted Sources
Hit http://us.archive.ubuntu.com precise-backports/universe Sources
Hit http://us.archive.ubuntu.com precise-backports/multiverse Sources
Hit http://us.archive.ubuntu.com precise-backports/main amd64 Packages
Hit http://security.ubuntu.com precise-security/multiverse Sources
Hit http://security.ubuntu.com precise-security/main amd64 Packages
Hit http://security.ubuntu.com precise-security/restricted amd64 Packages
Hit http://security.ubuntu.com precise-security/universe amd64 Packages
Hit http://security.ubuntu.com precise-security/multiverse amd64 Packages
Hit http://security.ubuntu.com precise-security/main i386 Packages
Hit http://security.ubuntu.com precise-security/restricted i386 Packages
Hit http://security.ubuntu.com precise-security/universe i386 Packages
Hit http://security.ubuntu.com precise-security/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/restricted amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports/universe amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports/multiverse amd64 Packages
Hit http://ppa.launchpad.net precise/main amd64 Packages
Hit http://ppa.launchpad.net precise/main i386 Packages
Hit http://ppa.launchpad.net precise/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/main i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/restricted i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/universe i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/main TranslationIndex
Hit http://security.ubuntu.com precise-security/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/multiverse TranslationIndex
Hit http://security.ubuntu.com precise-security/multiverse TranslationIndex
Hit http://security.ubuntu.com precise-security/restricted TranslationIndex
Hit http://apt.postgresql.org precise-pgdg/main i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/restricted TranslationIndex
Hit http://security.ubuntu.com precise-security/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise/main Translation-en
Hit http://us.archive.ubuntu.com precise/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise/restricted Translation-en
Hit http://us.archive.ubuntu.com precise/universe Translation-en
Hit http://us.archive.ubuntu.com precise-updates/main Translation-en
Hit http://us.archive.ubuntu.com precise-updates/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise-updates/restricted Translation-en
Hit http://security.ubuntu.com precise-security/main Translation-en
Hit http://us.archive.ubuntu.com precise-updates/universe Translation-en
Hit http://us.archive.ubuntu.com precise-backports/main Translation-en
Hit http://us.archive.ubuntu.com precise-backports/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise-backports/restricted Translation-en
Hit http://us.archive.ubuntu.com precise-backports/universe Translation-en
Hit http://security.ubuntu.com precise-security/multiverse Translation-en
Hit http://security.ubuntu.com precise-security/restricted Translation-en
Ign http://apt.newrelic.com newrelic/non-free Translation-en_US
Hit http://ppa.launchpad.net precise/main Translation-en
Ign http://apt.postgresql.org precise-pgdg/main TranslationIndex
Hit http://security.ubuntu.com precise-security/universe Translation-en
Ign http://apt.newrelic.com newrelic/non-free Translation-en
Ign http://apt.datadoghq.com stable/main Translation-en_US
Ign http://apt.datadoghq.com stable/main Translation-en
Ign http://apt.postgresql.org precise-pgdg/main Translation-en_US
Ign http://apt.postgresql.org precise-pgdg/main Translation-en
Fetched 45.9 kB in 4s (11.3 kB/s)
W: Failed to fetch https://get.docker.com/ubuntu/dists/docker/main/binary-amd64/Packages  Proxy CONNECT aborted

W: Failed to fetch https://get.docker.com/ubuntu/dists/docker/main/binary-i386/Packages  Proxy CONNECT aborted

E: Some index files failed to download. They have been ignored, or old ones used instead.

[mbentley]

Hmm, it is acting like it is hitting a proxy. For kicks, could you try to add Acquire::HTTP::Proxy::get.docker.com "DIRECT"; to your /etc/apt/apt.conf file and then doing an apt-get update to see if it still happens?

[adamenger]

@mbentley You're a gentleman and a scholar. This was in a vagrant box that had some wonky proxy config set up. Thanks for your insight. For anybody who stumbles upon this problem be sure to check your /etc/apt/apt.conf :)

[goodwillcoding]

In case this helps anyone, here is a workaround to configure apt-cacher-ng to work with SSL:
http://blog.packagecloud.io/eng/2015/05/05/using-apt-cacher-ng-with-ssl-tls/

[kversl]

possibly the quickest solution is to add a line into your

           /etc/apt-cacher-ng/acng.conf   

PassThroughPattern: .*

            Allow data pass-through mode for certain hosts when requested by the client
            using a CONNECT request. This is particularly useful to allow access to SSL
            sites (https proxying).

(this hint is also noted in goodwillcoding's reference)

[Frug]

In my situation, with the latest install instructions, adding Acquire::HTTP::Proxy::apt.dockerproject.org "DIRECT"; to my apt.conf.d/proxy01 solved the problem.