Docker private registry, docker push is forbidden

I setup a private registry, which run fine. Docker 1.10. I choose to change the host, and recreate the certificate. All run fine on my server, but on my customer server I can't push an image to the registry :

unable to ping registry endpoint https://my.customer.private.hostname:5000/v0/
 v2 ping attempt failed with error: Get https://my.customer.private.hostname:5000/v2/: Forbidden
 v1 ping attempt failed with error: Get https://my.customer.private.hostname:5000/v1/_ping: Forbidden

I can't find anybody else talking about 'forbidden' answer on Google. Where can I search to understand ? I already deleted the container, the image, uninstalled docker, reinstalled docker but still the same error. The only thing I do not delete is the thinpool used to store docker data (devicemapper).

There is a systemd conf file for docker :



[Service] Environment="HTTP_PROXY=http://proxy:3128" Environment="NO_PROXY=localhost,"

The registry IP was not localhost, so I needed to add the host to the NO_PROXY variable. I still not undestand why the first host worked. Restarting the registry container without https (http only) and using tcpdump help us to resolve this issue.

For me it is very strange that docker is trying to reach via https to 5000 port and then you made a curl with http to the same port and it worked.

Probably you are doing: docker pull my.customer.private.hostname:5000 xxx/yyy instead of docker pull my.customer.private.hostname xxx/yyy


My docker registry have a certificate built for it, and the CA certificate is given to each Docker installation in /etc/docker/certs.d/myregistry.domain.tld:5000/ca.crt, so my registry is not insecure. But I will try to be sure.

You changed the host, did you update dns records?

Yes, and curl -k https://my.customer.private.hostname:5000/v2/_catalog give me a json record with my docker images.

First of all we need to know if its a certificate issue. try --insecure-registry myregistry:5000 option

Have you done a docker login my.customer.private.hostname:5000? I’d preface that with a docker logout my.customer.private.hostname:5000 to make sure an old login isn’t sitting around.

No, but there is no login on my private registry. I will try it.