Cannot push to repo; access to the requested resource is not authorized

orca614 · December 10, 2024, 4:18pm

I am having trouble pushing to a nexus hosted docker repository, run on rhel9 behind nginx, which is configured to listen on 443 with ssl.

trying: docker push my-repo.my-domain.com/v2/repository/repo/ubuntu
results in

The push refers to repository [my-repo.my-domain.com/v2/repository/repo]
687d59f2f6a6: Preparing
unauthorized: access to the requested resource is not authorized

I tried logging into the repo first, both at / and /v2/, but neither a test user with the explicit permissions nor the full premade admin user get past this error.
I also noticed that I can just put in any credentials, and docker will report “Login Succeeded”, however pushes are still refused.

Docker running on the same system can pull images from the official repos.

This is my nginx.conf:

user nginx;
worker processes auto;
error log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
	worker_connections 1024;
}

http {
	proxy_send_timeout 120;
	proxy_read_timeout 300;
	proxy_buffering off;
	keepalive_timeout 5 5;
	tcp_nodelay		on;

}
server {
    listen 443 ssl;
    server_name my-repo.my-domain.com;

    ssl_certificate /etc/pki/tls/certs/my-repo.my-domain[dot]com.crt;
    ssl_certificate_key /etc/pki/tls/private/my-repo.my-domain[dot]com.key;

    # General proxy for the Nexus web interface
    location / {
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Proxy for Docker registry API (v2)
    location /v2/ {
        proxy_pass http://127.0.0.1:8081/repository/repo/;  #this was set according to repo path in webinterface, however the webinterface includes https (?)
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Connection keep-alive; 
    }
}

And this is my nexus.properties:

nexus-host=0.0.0.0
nexus.http.port=8081
nexus.https.port=

(I previously tried with just nexus-host=0.0.0.0 and nexus.port=8081 with similar results)

Certs from our CA were generated and are in /etc/pki/tls/certs/my-repo.my-domain.com.crt
and /etc/pki/tls/private/my-repo.my-domain.com.key

firewalld on the system is disabled, and selinux temporarily set to permissive.
Anonymous pull is enabled.
I can browse to the webinterface of the repo at its server name and log in.

As mentioned I can also docker log into the repo via docker login my-repo.my-domain[dot]com, however this seems broken as I can use any password to still receive a “success” message.

Any ideas on where I should look further would be appreciated.