How to Fix Docker Connection Refused on DigitalOcean Droplet

The Root Cause

This issue typically indicates that the Docker daemon service is not running or the Docker socket (/var/run/docker.sock) is not accessible due to incorrect permissions or a misconfigured daemon. On a DigitalOcean Droplet, this frequently occurs after a new Docker installation, system updates, or if the docker.service unit has failed to start correctly, often exacerbated by firewall rules.

Quick Fix (CLI)

# Ensure the Docker daemon service is started
sudo systemctl start docker

# Enable the Docker service to start automatically on boot
sudo systemctl enable docker

# Add your current user to the 'docker' group to execute Docker commands without 'sudo'
# Replace '$USER' with your actual username if not logged in as the target user
sudo usermod -aG docker $USER

# Apply the new group membership immediately for the current session without relogging
newgrp docker

# Restart the Docker service to ensure all changes, including user permissions, are applied
sudo systemctl restart docker

Configuration Check

File: /etc/docker/daemon.json This is the primary configuration file for the Docker daemon.

  • Ensure valid JSON: A malformed daemon.json can prevent the Docker service from starting, leading to “Connection Refused.” Verify its syntax carefully.
  • Socket Configuration: If the hosts key is present, ensure it explicitly includes unix:///var/run/docker.sock for local socket access. For example: 
    {
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "10m",
        "max-file": "3"
    },
    "hosts": ["unix:///var/run/docker.sock"]
    // If remote TCP access is configured (e.g., "tcp://0.0.0.0:2375"), ensure it's here securely.
}
    After any modification, restart the Docker daemon: sudo systemctl restart docker.

Firewall Check (UFW): If you are attempting to connect to Docker remotely (e.g., via DOCKER_HOST), ensure your DigitalOcean Droplet’s firewall allows traffic on the configured Docker TCP port (default for insecure is 2375, secure is 2376).

# Check UFW status and rules
sudo ufw status verbose

# If Docker is configured to listen on a specific TCP port (e.g., 2375), allow it:
# Replace 2375 with your configured port if different.
sudo ufw allow 2375/tcp

Note: Exposing Docker over TCP without TLS encryption is a significant security risk and is not recommended for production environments.

Verification

# Verify the Docker daemon is running and accessible by listing containers
docker ps

# Alternatively, check the service status directly
sudo systemctl status docker

The docker ps command should now execute without a “Connection Refused” error, typically showing an empty list or your running containers. The sudo systemctl status docker command should report active (running).

⚡ Related Troubleshooting Guides