Problem with TLS for registry

Trying to create remote docker registry on GCP (ubuntu 16.04) and docker login to registry from local client (ubuntu 16.04) with TLS.
Followed instructions from https://docs.docker.com/registry/deploying/#run-a-local-registry
both client and remote GCP have Docker version 17.12.0-ce

when first starting remote registry (following instructions above) client gets:
x509: certificate signed by unknown authority
server gets:
remote error: tls: bad certificate

after createing daemon.json file on server for insecure registry and restarting docker service and recreating registry with same command line, client gets:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

server logs show no change.

docker info on server shows:

Labels:
Experimental: false
Insecure Registries:
private-image-repo:443
127.0.0.0/8
Live Restore Enabled: false

created registry container on server with following command line:
docker run -d
–restart=always
–name registry
-v /certs:/certs
-e REGISTRY_HTTP_ADDR=0.0.0.0:443
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
-p 443:443
registry:2.6.2

on client side after creating insecure registry:
docker login private-image-repo:443
Warning: failed to get default registry endpoint from daemon (Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?). Using system default: https:// index.docker.io/v1/
Username: testuser
Password:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

docker registry container running OK and logs OK:
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3df881027cfe registry:2.6.2 “/entrypoint.sh /etc…” 12 minutes ago Up 12 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
ubuntu@private-image-repo:~$ docker logs 3df881027cfe
time=“2018-02-10T18:11:40Z” level=warning msg=“No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable.” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2
time=“2018-02-10T18:11:40Z” level=info msg=“redis not configured” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2
time=“2018-02-10T18:11:40Z” level=info msg=“Starting upload purge in 33m0s” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2
time=“2018-02-10T18:11:40Z” level=info msg=“using inmemory blob descriptor cache” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2
time=“2018-02-10T18:11:40Z” level=info msg=“listening on [::]:443, tls” go.version=go1.7.6 instance.id=b853ef27-e557-48e3-97e0-77ce32d46926 version=v2.6.2

How can I get docker login working with or without insecure-registry?

finally figured this out on my own:
a. on the client: cp domain.crt to /usr/local/share/ca-certificates/ and update-ca-certificates && service docker restart

b: on server: create daemon.json with insecure-registry stuff. start registry container with following
docker run -d
–restart=always
–name registry
-v /certs:/certs
-v /auth:/auth
-e REGISTRY_HTTP_ADDR=0.0.0.0:443
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
-p 443:443
registry:2.6.2

now remote login/push/pull works correctly