hub-feedback icon indicating copy to clipboard operation
hub-feedback copied to clipboard
verified publisher icon docker

can't login to docker hub. Empty Response

Open hemna opened this issue 1 year ago • 3 comments

I'm trying to login and/or docker pull an image. both are failing with no data coming back from registry-1.docker.io/v2

└─> wget https://registry-1.docker.io/v2/
--2024-03-06 17:35:29--  https://registry-1.docker.io/v2/
Resolving registry-1.docker.io (registry-1.docker.io)... 54.196.99.49, 34.226.69.105, 3.219.239.5
Connecting to registry-1.docker.io (registry-1.docker.io)|54.196.99.49|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

└─> curl https://registry-1.docker.io/v2/ && echo Works || echo Problem
curl: (52) Empty reply from server
Problem

└─> cat docker-passwd.txt | docker login --username hemna6969 --password-stdin
Error response from daemon: Get "https://registry-1.docker.io/v2/": EOF

I have no http proxy. I have restarted the docker daemon.
my dns setting is set to 8.8.8.8 and I can connect to any other sites on the net just fine.

I can telnet to port 443 of the registry and I get no data.

└─> telnet registry-1.docker.io 443
Trying 54.196.99.49...
Connected to registry-1.docker.io.
Escape character is '^]'.
GET / HTTP/1.1

^]
telnet> quit
Connection closed.

└─> host registry-1.docker.io
registry-1.docker.io has address 54.196.99.49
registry-1.docker.io has address 34.226.69.105
registry-1.docker.io has address 3.219.239.5
╭─root in ~ ❯
└─> telnet 34.226.69.105 443
Trying 34.226.69.105...
Connected to 34.226.69.105.
Escape character is '^]'.
GET / HTTP/1.0

^]
telnet> quit
Connection closed.
╭─root in ~ took 7s ❯
└─> telnet 3.219.239.5 443
Trying 3.219.239.5...
Connected to 3.219.239.5.
Escape character is '^]'.
GET / HTTP/1.0

^]
telnet> quit
Connection closed.

I understand that's an SSL port and doing a standard HTTP get isn't going to work, but I would expect some data.

Problem description

docker info output

Docker Info:


└─> docker info
Client: Docker Engine - Community
 Version:    25.0.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.6
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 10
  Running: 9
  Paused: 0
  Stopped: 1
 Images: 11
 Server Version: 25.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-97-generic
 Operating System: Ubuntu 22.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 24
 Total Memory: 118GiB
 Name: dl360-1
 ID: 49f3976c-b8ab-4130-b2d4-351831967b98
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 105
  Goroutines: 142
  System Time: 2024-03-06T17:47:10.557635755-05:00
  EventsListeners: 3
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: API is accessible on http://0.0.0.0:2376 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/go/attack-surface/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Debug Information

Browser name and version:

URL:

Timetamp or time range: EST

Public IP:

Hub Username:

Error messages (on screen or in browser console)

Screenshots of the issue (if applicable)

Task List

  • [ ] This is NOT a security issue
  • [ ] I do NOT have a Docker subscription
  • [ ] I have looked through other issues and they do NOT apply to me

hemna avatar Mar 06 '24 22:03 hemna

Per the spec, hitting registry-1.docker.io/v2 will always return a 401 response with headers indicating how to obtain an authorization token. It will redirect you to auth.docker.io/token in order to retrieve the token. See this blog post

Do you get a 401 response on these endpoints?

jcarter3 avatar Mar 07 '24 16:03 jcarter3

No, I'm not getting a 401 response. I'm literally getting nothing as a response. See the verbose curl output below.

hitting the endpoint with curl I get this.

└─> curl -v https://registry-1.docker.io/v2
*   Trying 54.196.99.49:443...
* Connected to registry-1.docker.io (54.196.99.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Oct  2 00:00:00 2023 GMT
*  expire date: Oct 31 23:59:59 2024 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /v2 HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS alert, close notify (256):
* Empty reply from server
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server

└─> curl -I -L https://registry-1.docker.io/v2
curl: (52) Empty reply from server

hemna avatar Mar 07 '24 16:03 hemna

:thinking: I'm unable to replicate this on any other system. Is this on any sort of VPN or work network, firewall, etc, ( I know you said no proxy, just trying to get the full picture)

jcarter3 avatar Mar 07 '24 19:03 jcarter3