Share via

Intermittent TLS handshake timeout from ACR

Jake White 0 Reputation points
2025-12-05T10:16:30.6133333+00:00

Hiya

We're getting intermittently an Error response from daemon: Get "https://xxxxxxxx.azurecr.io/v2/": net/http: TLS handshake timeout when interacting with our Azure Container Registry.

It works fine most of the time, but it has occurred from local machines when doing a az acr login or a docker pull.

More disruptively, it also happens during our Azure DevOps pipeline. Out of 20 images being pushed with the Docker@2 task ~5 are getting this error consistently at the moment, to the point where we've had to add a retry. It immediately retries the exact same task and is usually, but not always, successful.

Are there any suggestions for how we can resolve or at the very least improve the reliability?

Thanks

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ankit Yadav 6,760 Reputation points Microsoft External Staff Moderator
    2025-12-05T12:08:38.5033333+00:00

    Hello @Jake White ,

    It looks like you are facing intermittent TLS handshake errors and for some of the operations (not all). This could be due to below reasons:

    1. Network Latency/DNS: Slow or misrouted connections to ACR, especially if agents and ACR are in different regions.
    2. High Concurrency: Multiple parallel image pushes or layers can hit throughput limits or cause resource contention.
    3. Transient Load or Throttling: ACR or client under heavy load during handshake.

    Recommended Fixes:

    1. Optimize Network Path:- ->Place build agents in same region as ACR.
      -> Check DNS resolution (nslookup <registry>.azurecr.io) and latency. -> Allow direct outbound access to *.azurecr.io on port 443.
    2. Reduce Concurrency:- ->Push images sequentially or limit Docker concurrent uploads ("max-concurrent-uploads": 1). -> Add retry with backoff (e.g., 10–15 sec delay). -> Use Premium for higher throughput and concurrent operations.
    3. Pipeline Best Practices: -> Single login per job; reuse session. -> Consider self-hosted agent in same region.

    Additionally, I saw this issue was reported in the past, specifically for pushing images via docker to ACR and below solution was recommended for the same, so kindly try out this as well.

    Step1: Verify docker Deamon proxy configuration at

    /etc/systemd/system/docker.service.d/proxy.conf

    Step2: Flush changes once

    sudo systemctl deamon-reload

    Step3: Restart docker

    sudo systemctl restart docker

    Source: https://stackoverflow.com/questions/74919872/net-http-tls-handshake-timeout-while-login-to-azure-container-registry-from-ubu

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.