Skip to content
Latchkey

Docker "http: server gave HTTP response to HTTPS client" - Insecure Registry

The Docker daemon tried to talk to the registry over HTTPS, but the registry answered with plain HTTP. The daemon assumes TLS by default, so it refuses the mismatched response.

What this error means

A docker push/pull to a local or self-hosted registry (often on :5000) fails with http: server gave HTTP response to HTTPS client. It is deterministic for that registry until the daemon is told the host serves HTTP.

docker push/pull output
Error response from daemon: Get "https://registry.local:5000/v2/":
http: server gave HTTP response to HTTPS client

Common causes

The registry serves plain HTTP, not HTTPS

A development or internal registry without TLS answers over HTTP. The daemon defaults to HTTPS for every registry, so the HTTP response looks wrong.

The registry is not listed as insecure

Until the host is in insecure-registries, the daemon will not fall back to HTTP for it, so every request is attempted over TLS and fails.

How to fix it

Declare the registry insecure (HTTP) in the daemon

Add the host to insecure-registries in daemon.json, then restart Docker. Suitable for CI/dev registries on a trusted network.

daemon.json
# /etc/docker/daemon.json
{ "insecure-registries": ["registry.local:5000"] }

sudo systemctl restart docker

Prefer enabling TLS on the registry

  1. Front the registry with a certificate (a private CA or public cert) and use HTTPS.
  2. If you must use HTTP, restrict it to an isolated CI network.
  3. Keep the insecure-registries list minimal and explicit.

How to prevent it

  • Serve registries over HTTPS wherever possible.
  • Scope insecure-registries to specific internal hosts only.
  • Document the insecure-registry requirement next to the CI registry config.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →