Commit b36a7f83 authored by Daniel Diniz's avatar Daniel Diniz Committed by Nick Gaskill

Include troubleshooting docker invalid token

Add a section on troubleshooting mismatching certificate key pairs, used
to encrypt the connection between Registry and GitLab.
parent 51a27920
......@@ -1063,6 +1063,70 @@ encounter this error.
Administrators can increase the token duration in **Admin area > Settings >
CI/CD > Container Registry > Authorization token duration (minutes)**.
### Docker login attempt fails with: 'token signed by untrusted key'
[Registry relies on GitLab to validate credentials](https://docs.gitlab.com/omnibus/architecture/registry/).
If the registry fails to authenticate valid login attempts, you get the following error message:
```shell
# docker login gitlab.company.com:4567
Username: user
Password:
Error response from daemon: login attempt to https://gitlab.company.com:4567/v2/ failed with status: 401 Unauthorized
```
And more specifically, this appears in the `/var/log/gitlab/registry/current` log file:
```plaintext
level=info msg="token signed by untrusted key with ID: "TOKE:NL6Q:7PW6:EXAM:PLET:OKEN:BG27:RCIB:D2S3:EXAM:PLET:OKEN""
level=warning msg="error authorizing context: invalid token" go.version=go1.12.7 http.request.host="gitlab.company.com:4567" http.request.id=74613829-2655-4f96-8991-1c9fe33869b8 http.request.method=GET http.request.remoteaddr=10.72.11.20 http.request.uri="/v2/" http.request.useragent="docker/19.03.2 go/go1.12.8 git-commit/6a30dfc kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.2 \(linux\))"
```
GitLab uses the contents of the certificate key pair's two sides to encrypt the authentication token
for the Registry. This message means that those contents do not align.
Check which files are in use:
- `grep -A6 'auth:' /var/opt/gitlab/registry/config.yml`
```yaml
## Container Registry Certificate
auth:
token:
realm: https://gitlab.my.net/jwt/auth
service: container_registry
issuer: omnibus-gitlab-issuer
--> rootcertbundle: /var/opt/gitlab/registry/gitlab-registry.crt
autoredirect: false
```
- `grep -A9 'Container Registry' /var/opt/gitlab/gitlab-rails/etc/gitlab.yml`
```yaml
## Container Registry Key
registry:
enabled: true
host: gitlab.company.com
port: 4567
api_url: http://127.0.0.1:5000 # internal address to the registry, will be used by GitLab to directly communicate with API
path: /var/opt/gitlab/gitlab-rails/shared/registry
--> key: /var/opt/gitlab/gitlab-rails/etc/gitlab-registry.key
issuer: omnibus-gitlab-issuer
notification_secret:
```
The output of these `openssl` commands should match, proving that the cert-key pair is a match:
```shell
openssl x509 -noout -modulus -in /var/opt/gitlab/registry/gitlab-registry.crt | openssl sha256
openssl rsa -noout -modulus -in /var/opt/gitlab/gitlab-rails/etc/gitlab-registry.key | openssl sha256
```
If the two pieces of the certificate do not align, remove the files and run `gitlab-ctl reconfigure`
to regenerate the pair. If you have overridden the automatically generated self-signed pair with
your own certificates and have made sure that their contents align, you can delete the 'registry'
section in your `/etc/gitlab/gitlab-secrets.json` and run `gitlab-ctl reconfigure`.
### AWS S3 with the GitLab registry error when pushing large images
When using AWS S3 with the GitLab registry, an error may occur when pushing
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment