TLS handshake error

user5558501 picture user5558501 · Dec 15, 2015 · Viewed 20.8k times · Source

I've set up a docker registry which is using selfsigned certificates but I got this error. What is the meaning of this handshake error? Everytime I try to push an image to my registry, the logs increase. (this are the logs of my registry about tls)

$ docker logs 30273f6ed90f | grep tls
    2015/12/15 13:42:25 http: TLS handshake error from 10.0.0.xx:43393: EOF
    2015/12/15 13:42:30 http: TLS handshake error from 10.0.0.xx:43396: EOF
    2015/12/15 13:42:40 http: TLS handshake error from 10.0.0.xx:43401: EOF
    2015/12/15 13:44:34 http: TLS handshake error from 10.0.0.xx:43442: EOF
    2015/12/15 13:44:39 http: TLS handshake error from 10.0.0.xx:43443: EOF
    2015/12/15 13:44:49 http: TLS handshake error from 10.0.0.xx:43460: EOF
    2015/12/15 13:45:25 http: TLS handshake error from 10.0.0.xx:43479: tls: first record does not look like a TLS handshake
    2015/12/15 13:45:58 http: TLS handshake error from 10.0.0.xx:43488: EOF
    2015/12/15 13:46:03 http: TLS handshake error from 10.0.0.xx:43491: EOF
    2015/12/15 13:46:13 http: TLS handshake error from 10.0.0.xx:43496: EOF
    2015/12/15 13:49:08 http: TLS handshake error from 10.0.0.xx:43546: EOF
    2015/12/15 13:50:14 http: TLS handshake error from 10.0.0.xx:43600: EOF
    2015/12/15 13:50:19 http: TLS handshake error from 10.0.0.xx:43603: EOF
    2015/12/15 13:50:29 http: TLS handshake error from 10.0.0.xx:43608: EOF
    2015/12/15 13:57:03 http: TLS handshake error from 10.0.0.xx:43695: EOF
    2015/12/15 13:57:28 http: TLS handshake error from 10.0.0.xx:43781: EOF
    2015/12/15 13:59:35 http: TLS handshake error from 10.0.0.xx:43834: tls: first record does not look like a TLS handshake
    2015/12/15 14:00:41 http: TLS handshake error from 10.0.0.xx:43860: EOF
    2015/12/15 14:00:46 http: TLS handshake error from 10.0.0.xx:43863: EOF
    2015/12/15 14:00:56 http: TLS handshake error from 10.0.0.xx:43868: EOF
    2015/12/15 14:18:40 http: TLS handshake error from 10.0.0.xx:44300: EOF
    2015/12/15 14:18:45 http: TLS handshake error from 10.0.0.xx:44303: EOF
    2015/12/15 14:18:55 http: TLS handshake error from 10.0.0.xx:44308: EOF
    2015/12/15 14:27:54 http: TLS handshake error from 10.0.0.xx:44531: EOF
    2015/12/15 14:27:59 http: TLS handshake error from 10.0.0.xx:44534: EOF
    2015/12/15 14:28:09 http: TLS handshake error from 10.0.0.xx:44539: EOF
    2015/12/15 14:31:55 http: TLS handshake error from 10.0.0.xx:44637: EOF
    2015/12/15 14:32:10 http: TLS handshake error from 10.0.0.xx:44644: EOF
    2015/12/15 14:32:33 http: TLS handshake error from 10.0.0.xx:44656: EOF
    2015/12/15 14:40:20 http: TLS handshake error from 10.0.0.xx:44855: EOF
    time="2015-12-15T13:41:22Z" level=info msg="listening on [::]:5000, tls" go.version=go1.5.2 instance.id=1e35bbf3-4337-4df5-8a57-bdeccaac5203 version=v2.2.1 
    time="2015-12-15T13:44:05Z" level=info msg="listening on [::]:5000, tls" go.version=go1.5.2 instance.id=a785b46c-6eac-4fff-9d78-0774abd46a8c version=v2.2.1 
    time="2015-12-15T14:37:40Z" level=info msg="listening on [::]:5000, tls" go.version=go1.5.2 instance.id=9d0c50e7-bfd8-4ec1-8531-6b3e0a23af6b version=v2.2.1 

Answer

P.J picture P.J · Oct 12, 2016

Its difficult to understand how you are accessing Docker registry with limited context provided in the question, but looking at the Go code (since Docker is written in Go): https://golang.org/src/crypto/tls/conn.go , the client you're using to connect to Docker registry is not accessing registry using HTTPS.

Based on the error, you need to access docker registry using TLS enabled clients which is using a certificate trusted by the same self-signed CA, that was used to create certificate for Docker registry.

References: http://tech.paulcz.net/2016/01/deploying-a-secure-docker-registry/