Harbor: Unable to sign using notary: not authorized server returned 401
On my mac to push images :
- Docker version 18.06.1-ce, build e68fc7a
On the Harbor instance :
- Harbor 1.6.0 with Notary and Clair
- Docker version 18.06.1-ce, build e68fc7a
- docker-compose version 1.22.0, build f46880f
I set up a fresh Harbor 1.6.0 instance with Notary and Clair. I am able to docker login and push unsigned images into the registry but as soon as I want to sign an image i got the following error :
docker login ****
Username: ****
Password: ****
Login Succeeded
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://****:4443
docker push ****/library/test:1.1
The push refers to repository [****/library/test]
f9d9e4e6e2f0: Layer already exists
1.1: digest: sha256:9f280d2ced2cc7cef13396ba2e31d6edd0bb8adc43225a5c090f78b308859c40 size: 527
Signing and pushing trust metadata
you are not authorized to perform this operation: server returned 401.
What was the expecting behavior ?
As it is the first image I want to signed from this newly created registry / notary server I was expecting to get prompted for the root key and the image passphrase as it is stated in the user_guide.
Harbor configuration file :
The protocol for accessing the UI and token/notification service, by default it is http.
It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https
Determine whether or not to generate certificate for the registry's token.
If the value is on, the prepare script creates new root cert and private key
for generating token to access the registry. If the value is off the default key/cert will be used.
This flag also controls the creation of the notary signer's cert.
customize_crt = on
The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
From logs of the Harbor server :
notary-server.log
Sep 25 14:53:37 172.22.0.1 notary-server[1658]: {"go.version":"go1.7.3","http.request.host":"****:4443","http.request.id":"5d6cb630-5f20-44a4-abc6-79c37a9a2c96","http.request.method":"GET","http.request.remoteaddr":"****","http.request.uri":"/v2/****/library/test/_trust/tuf/root.json","http.request.useragent":"Docker-Client/18.06.1-ce (darwin)","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"195.818碌s","http.response.status":401,"http.response.written":174,"level":"info","msg":"response completed","time":"2018-09-25T07:53:37Z"}
registry.log
Sep 25 14:58:19 172.22.0.1 registry[1658]: time="2018-09-25T07:58:19.274497812Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.7.3 http.request.host=**** http.request.id=6f5f4a44-9819-4a6b-9df8-eeab404876ec http.request.method=GET http.request.remoteaddr=**** http.request.uri="/v2/" http.request.useragent="docker/18.06.1-ce go/go1.10.3 git-commit/e68fc7a kernel/4.9.93-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.06.1-ce \\(darwin\\))" instance.id=c66bb6e3-4937-453a-b22c-cf472e23f110 service=registry version=v2.6.2
It was working on an instance running 1.5.2 last week but since yesterday it seems i can not signed images whatever version of Harbor I use (1.5.2, 1.5.3, 1.6.0)... I even tried to downgrade to docker 17.12 to see if it was related to my specific docker version but it did not help.
Any idea of what my mistake is here ?
guillaumelfv
All 11 comments
@guillaumelfv
What auth type are you using? What role of the current user?
steven-zou
on 25 Sep 2018
@steven-zou
We are using LDAP auth.
In my situation I use the admin user to push to the library project (automatically created at installation) which is a public project. The admin user is Project Admin on this project.
I also tried to create new project and to push with other LDAP user which i set to Project Admin also but did not work either..
guillaumelfv
on 25 Sep 2018
@wy65701436
Would you please to take a look at this issue? Thanks.
steven-zou
on 28 Sep 2018
I have same issue. please suggest, what i was wrong.
pongpruk
on 1 Nov 2018
I am also facing the same issue.
docker push dockerprivaterepo.fcinternal.net/production/klickpay:v333
The push refers to repository [dockerprivaterepo.fcinternal.net/production/klickpay]
b9b7103af585: Layer already exists
ca2991e4676c: Layer already exists
a768c3f3878e: Layer already exists
bc7f4b25d0ae: Layer already exists
v333: digest: sha256:acd85db6e4b18aafa7fcde5480872909bd8e6d5fbd4e5e790ecc09acc06a8b78 size: 1150
Signing and pushing trust metadata
you are not authorized to perform this operation: server returned 401.
kapilsanbais
on 13 Dec 2018
It appears I am unable to sign images as well. I am in the process of thoroughly testing Harbor as we are looking at using it as our canonical Docker registry. Everything is promising thus far, but I am unable to get the Notary piece working at this time. Has anyone else experiencing this issue been able to resolve it?
Docker Push Error
Signing and pushing trust metadata
you are not authorized to perform this operation: server returned 401.
Error in Notary Server Log
{"go.version":"go1.9.4","http.request.host":"****","http.request.id":"120e5810-b0ef-46b7-9304-f2283432432f","http.request.method":"GET","http.request.remoteaddr":"****","http.request.uri":"/notary/","http.request.useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"138.527碌s","http.response.status":401,"http.response.written":145,"level":"info","msg":"response completed","time":"2019-01-25T02:08:54Z"}
Error in Registry Log
[25/Jan/2019:02:21:10 +0000] "GET /v2 HTTP/1.1" 301 39 "" "Go-http-client/1.1"
time="2019-01-25T02:21:10.420002901Z" level=debug msg="authorizing request" go.version=go1.7.3 http.request.host="v1-harbor1-registry:5000" http.request.id=6ffcac1b-b003-49d7-9c11-1f0ae4f14174 http.request.method=GET http.request.referer="http://v1-harbor1-registry:5000/v2" http.request.remoteaddr="****" http.request.uri="/v2/" http.request.useragent="Go-http-client/1.1" instance.id=c21614c0-e3ca-487e-94e9-b17b5acb58fd service=registry version=v2.6.2
time="2019-01-25T02:21:10.420109766Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.7.3 http.request.host="v1-harbor1-registry:5000" http.request.id=6ffcac1b-b003-49d7-9c11-1f0ae4f14174 http.request.method=GET http.request.referer="http://v1-harbor1-registry:5000/v2" http.request.remoteaddr="****" http.request.uri="/v2/" http.request.useragent="Go-http-client/1.1" instance.id=c21614c0-e3ca-487e-94e9-b17b5acb58fd service=registry version=v2.6.2
KISStian
on 25 Jan 2019
I am trying to reproduce this issue on my env, but cannot get it reproduced.
docker version: 18.09
notary version:0.6.1
auth_mode: ldap
Please provide your configuration file, and logs of core, notary-server and notary signer.
wy65701436
on 11 Apr 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 12 Sep 2019
I get the same error in my MacOS, after switch to ubuntu, it works well.
stonezdj
on 3 Dec 2019
For me setting a credStore in ~/.docker/config.json solved it. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store .
Timoses
on 1 Jul 2020
For me setting a
credStorein ~/.docker/config.json solved it. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store .
i have encounter this problem recently, can you please describe how to fix this ? thank you !
a85302543
on 4 Aug 2020
Related issues
reasonerjt
路
3Comments
272909106
路
4Comments
abououdine
路
3Comments
steveal
路
3Comments
reasonerjt
路
3Comments
Most helpful comment
I have same issue. please suggest, what i was wrong.