Insecure registry "http: server gave HTTP response to HTTPS client" in CI
The docker daemon defaults to HTTPS for registries, but this registry answered over plain HTTP. The handshake fails with "server gave HTTP response to HTTPS client". For a registry that genuinely serves HTTP, declare it as an insecure registry in the daemon config; the better fix is to enable TLS.
What this error means
docker push or pull to a local/self-hosted registry (often :5000) fails with "http: server gave HTTP response to HTTPS client".
Error response from daemon: Get "https://registry.internal:5000/v2/":
http: server gave HTTP response to HTTPS clientCommon causes
The registry serves HTTP, the daemon expects HTTPS
A registry started without TLS responds in HTTP, but docker speaks HTTPS first and rejects the mismatch.
The host is not in insecure-registries
Until the daemon is told the host is insecure, it will not fall back to HTTP.
How to fix it
Declare the registry insecure (non-prod)
- Add the host:port to insecure-registries in daemon.json.
- Restart docker so the daemon accepts HTTP for that host.
- Retry the push or pull.
{ "insecure-registries": ["registry.internal:5000"] }Enable TLS on the registry (preferred)
Serve the registry over HTTPS with a trusted certificate so no insecure exception is needed.
How to prevent it
- Run registries over TLS so HTTPS clients connect cleanly.
- Reserve insecure-registries for local/dev only.
- Configure insecure hosts on every runner that needs them.