Hello all
I am trying to get a private registry working but struggle to get my certificate accepted by docker.
My setup is as follows:

• Docker on RHEL 7 (called host)
• Nexus 3 on host with a docker repository
• nginx on host
• nginx reverse proxy forwards to nexus docker repository
• nginx uses a custom signed certificate for ssl, this certificate consists of a root ca, intermediate ca and the host certificate

The setup above should work correctly.
The problem I now have is that I always get x509: certificate signed by unknown authority when I try to login to the registry.
I tried putting one / all / a merged certificate into /etc/docker/certs.d/<registry:port> and installing the certificates on the host (and also on another ubuntu based docker host) without any success. I am not able to login,
Checking the registry url with openssl with openssl s_client -showcerts -connect <registry:port> returns Verification OK
Is there any way to debug docker daemon to find out why it is not able to correcly verify the certificate? I am pretty much stuck and already tried for hours
Thank you for your help!

For myself I’ve been able to setup the trust by importing the CA cert into the clients local cert store and updating the trust:

1. Copy your CA cert to a pem file here, on the machine acting as client: /etc/pki/ca-trust/source/anchors
2. Update certificate trust: sudo update-ca-trust
3. Restart docker on your client, to allow the trust to take effect: systemctl restart docker

I copied the root ca, the intermediate ca and a chain (host certificate > intermediate > root) there, renamed all to .pem, updated the certificate trust and restarted the docker daemon, still the same issue

Gaaaaah after hours I found out that the issue was that in the docker daemon proxy config (/etc/systemd/system/docker.service.d/http-proxy.conf) I had a wildcard as no proxy:
NO_PROXY=*.mydomain.com
I changed that to:
NO_PROXY=mydomain.com"
Now it works as it should!