Skip to content
Latchkey

Insecure registry "http: server gave HTTP response to HTTPS client" in CI

The docker daemon defaults to HTTPS for registries, but this registry answered over plain HTTP. The handshake fails with "server gave HTTP response to HTTPS client". For a registry that genuinely serves HTTP, declare it as an insecure registry in the daemon config; the better fix is to enable TLS.

What this error means

docker push or pull to a local/self-hosted registry (often :5000) fails with "http: server gave HTTP response to HTTPS client".

docker
Error response from daemon: Get "https://registry.internal:5000/v2/":
http: server gave HTTP response to HTTPS client

Common causes

The registry serves HTTP, the daemon expects HTTPS

A registry started without TLS responds in HTTP, but docker speaks HTTPS first and rejects the mismatch.

The host is not in insecure-registries

Until the daemon is told the host is insecure, it will not fall back to HTTP.

How to fix it

Declare the registry insecure (non-prod)

  1. Add the host:port to insecure-registries in daemon.json.
  2. Restart docker so the daemon accepts HTTP for that host.
  3. Retry the push or pull.
/etc/docker/daemon.json
{ "insecure-registries": ["registry.internal:5000"] }

Enable TLS on the registry (preferred)

Serve the registry over HTTPS with a trusted certificate so no insecure exception is needed.

How to prevent it

  • Run registries over TLS so HTTPS clients connect cleanly.
  • Reserve insecure-registries for local/dev only.
  • Configure insecure hosts on every runner that needs them.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →