Pulling from gitlab registry : unable to decode token response: invalid character '<' looking for beginning of value

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Hello,

I'm encountering an issue while trying to pull a docker image from our private Gitlab Registry :

docker pull gitlab.tld:4567/fusioniam/fusioniam/fusioniam-lemonldap-ng:master-2f6be426
Error response from daemon: Head "https://gitlab.tld:4567/v2/fusioniam/fusioniam/fusioniam-lemonldap-ng/manifests/master-2f6be426": unable to decode token response: invalid character '<' looking for beginning of value

The project is public, there is no restriction whatsoever. I should have been able to pull this image without docker login, but I was able to successfuly log in:

$ docker login gitlab.tld
Username: user
Password: 

WARNING! Your credentials are stored unencrypted in '/home/user/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/

Login Succeeded

Trying to log to gitlab.tld:4567 does not work though:

$ docker login gitlab.tld:4567
Username: user
Password: 
Error response from daemon: Get "https://gitlab.tld:4567/v2/": unable to decode token response: invalid character '<' looking for beginning of value

Running Gitlab-CE Omnibus package 18.6.0-ce.0 on Debian 12 64bits.

Here is the /var/log/gitlab/registry logs of this pull :

2025-11-24_12:17:48.38278 time="2025-11-24T13:17:48.382+01:00" level=info msg="router info" config_http_addr="127.0.0.1:5000" config_http_host= config_http_net= config_http_prefix= config_http_relative_urls=false correlation_id=01KATWRYTY5FY11XN5EEMZEGGP environment=production go_version=go1.24.5 instance_id=eb39f99b-f42a-4a2a-9362-3e263c35b3e1 method=GET path=/v2/ root_repo= router=gorilla/mux service=registry version=v4.31.0-gitlab
2025-11-24_12:17:48.38298 {"content_type":"application/json","correlation_id":"01KATWRYTY5FY11XN5EEMZEGGP","duration_ms":0,"host":"gitlab.tld:4567","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","read_bytes":340,"referrer":"","remote_addr":"127.0.0.1:37916","remote_ip":"myclientip","status":401,"system":"http","time":"2025-11-24T13:17:48.382+01:00","ttfb_ms":0,"uri":"/v2/","user_agent":"docker/28.3.3 go/go1.24.5 git-commit/bea959c kernel/6.1.0-38-amd64 os/linux arch/amd64 UpstreamClient(Docker-Client/28.3.3 \\(linux\\))","written_bytes":87}

/var/log/nginx/gitlab_registry*.log :

myclientip - - [24/Nov/2025:13:18:55 +0100] "GET /v2/ HTTP/1.1" 401 87 "" "docker/28.3.3 go/go1.24.5 git-commit/bea959c kernel/6.1.0-38-amd64 os/linux arch/amd64 UpstreamClient(Docker-Client/28.3.3 \x5C(linux\x5C))" -

Here is my uncommented gitlab parameters related to the registry :

root@host:/etc/gitlab [!] # grep registry gitlab.rb |grep -v "#"
gitlab_rails['gitlab_default_projects_features_container_registry'] = false
registry_external_url 'https://gitlab.tld:4567'
gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry_nginx['enable'] = true
registry_nginx['listen_port'] = 4567
registry_nginx['listen_https'] = true
registry_nginx['ssl_certificate'] = "/etc/ssl/certs/wildcard.tld.bundled.crt"
registry_nginx['ssl_certificate_key'] = "/etc/ssl/private/wildcard.tld.key"

There is no reverse-proxy or anything able to block or tempers in front of the Gitlab Registry.

Any help appreciated.