Distribution: htpasswd auth causing 401 Unauthorized

Created on 7 Apr 2018  路  5Comments  路  Source: distribution/distribution

I am using Traefik loadbalancer to automatically generate letsencrypt ssl certificate. Check out compose file for loadbalancer setup.

```
version: "3.2"

services:
traefik:
container_name: traefik
restart: unless-stopped
image: traefik:1.5.4
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "/mnt/traefik:/etc/traefik/"
command: traefik --docker --docker.domain=docker.localhost --logLevel=INFO --docker.watch --acme --acme.onhostrule --acme.httpchallenge.entrypoint=http --acme.storage=/etc/traefik/acme/acme.json --acme.[email protected] --acme.entryPoint=https --entryPoints='Name:http Address::80 Redirect.EntryPoint:https' --entryPoints='Name:https Address::443 TLS' --defaultentrypoints=http,https
#command: traefik --web --docker --docker.domain=docker.localhost --loglevel=INFO
networks:
- gateway

certdumper:
container_name: traefik_certdumper
image: mazdermind/traefik-certificate-extractor
depends_on:
- traefik
restart: unless-stopped
volumes:
- /mnt/traefik/acme/acme.json:/var/acmejson/acme.json
- /mnt/traefik/acme/certs:/var/acmejson/certs

networks:
gateway:
driver: bridge

certdumper is used to dump pem certificates into ` /mnt/traefik/acme/certs` from autogenerated certificates stored in acme.json by Traefik.

Now I will be running docker_registry service on external network `traefik_gateway` which is monitored by traefik service. Now with labels on the container we can configure to use the load balancer. Check out compose file.

version: "3.2"
services:
docker_registry:
container_name: du-docker-registry
image: registry:2.6.2
restart: unless-stopped
environment:
- REGISTRY_AUTH=htpasswd
- REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
- REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
# - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain
# - REGISTRY_HTTP_TLS_KEY=/certs/privkey
# - REGISTRY_HTTP_SECRET=xxx
volumes:
# - "/mnt/traefik/acme/certs/docker.skoolyapp.com:/certs"
- "/mnt/du/docker-registry/data:/var/lib/registry"
- "/mnt/du/docker-registry/auth:/auth"

labels:
  - "traefik.enable=true"  
  - "traefik.port=5000"
  - "traefik.frontend.rule=Host:registry.domain1.com,registry.domain2.com"
  - "traefik.acme.domains=registry.domain1.com,registry.domain2.com"
  # - "traefik.frontend.passTLSCert=true"
  # - "traefik.frontend.passHostHeader=true"
  # - "traefik.frontend.customResponseHeaders=Docker-Distribution-Api-Version:registry/2.0"

networks: 
  - traefik_gateway

networks:
traefik_gateway:
external: true

With setup I am getting the following error when I try to login in.

Error response from daemon: login attempt to https://registry.domain2.com/v2/ failed with status: 401 Unauthorized
```

Feel free to ask for more info, or point out flaw in the setup.

Thx

question
Source
picture jascodes

Most helpful comment

I wanted to comment in here, because this seemed like a similar issue I had. It turns out I had generated my user and password using htpasswd on macOS. It defaults to using MD5 algorithm. I added the -B flag to force bcrypt for new htpasswd file entries and it worked. This may be your problem? The documentation illustrates passing -B in the example in the docs, so I figured.

picture farvour on 12 Sep 2018
👍19

All 5 comments

/auth/htpasswd <- can you confirm that this file exists inside the container and that the registry has access to it?

Also, the registry logs, ran in debug mode, would be helpful.

dmp42 picture dmp42 on 25 May 2018

I wanted to comment in here, because this seemed like a similar issue I had. It turns out I had generated my user and password using htpasswd on macOS. It defaults to using MD5 algorithm. I added the -B flag to force bcrypt for new htpasswd file entries and it worked. This may be your problem? The documentation illustrates passing -B in the example in the docs, so I figured.

farvour picture farvour on 12 Sep 2018
👍19

thanks @farvour this fixed it for me after much befuddlement

EamonKeane picture EamonKeane on 9 Dec 2018
1

it worked for me too, thanks @farvour

krd78 picture krd78 on 13 Mar 2019

I wanted to comment in here, because this seemed like a similar issue I had. It turns out I had generated my user and password using htpasswd on macOS. It defaults to using MD5 algorithm. I added the -B flag to force bcrypt for new htpasswd file entries and it worked. This _may_ be your problem? The documentation illustrates passing -B in the example in the docs, so I figured.

You even need to do this when using the shell in the docker registry image itself. Thanks, it really helped me out.

boeremak picture boeremak on 22 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kyleburnett picture kyleburnett  路  6Comments
juanjoDiaz picture juanjoDiaz  路  4Comments
itmecho picture itmecho  路  4Comments
zhaochenglan picture zhaochenglan  路  3Comments
danieltan picture danieltan  路  3Comments