# 守护进程响应错误：Get https://registry-1.docker.io/v2/：net/http：TLS 握手超时

- **ID:** `docker/tls-handshake-timeout`
- **领域:** docker
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 75%

## 根因

Docker 守护进程无法与 Docker Hub 注册表建立 TLS 连接，原因是网络延迟、防火墙阻止或 DNS 解析问题。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Docker 20.10.0 | active | — | — |
| Docker 24.0.0 | active | — | — |
| Docker 25.0.0 | active | — | — |
| Docker CE 26.0.0 | active | — | — |

## 解决方案

1. ```
   Configure Docker daemon to use a mirror registry by editing /etc/docker/daemon.json: add '{"registry-mirrors": ["https://mirror.gcr.io"]}' and restart Docker. Then pull the image again.
   ```
2. ```
   Increase TLS handshake timeout by setting environment variable: 'export DOCKER_CLIENT_TIMEOUT=120' and 'export COMPOSE_HTTP_TIMEOUT=120' before running docker commands.
   ```
3. ```
   Check and update DNS settings: add '8.8.8.8' to /etc/resolv.conf or use systemd-resolved: 'sudo resolvectl dns docker0 8.8.8.8'.
   ```

## 无效尝试

- **** — Setting HTTP_PROXY without HTTPS_PROXY in daemon.json does not affect TLS connections; the timeout persists. (60% 失败率)
- **** — Flushing DNS cache (e.g., 'sudo systemctl restart systemd-resolved') rarely resolves the issue if the root cause is network congestion or firewall rules. (70% 失败率)