TLS certificate untrusted from dockerized registry container


I have a reccurent on my docker registry container. I use the official image from library/registry:2.3.1. This image needs to send notifications via webhooks to another docker container. webhooks endpoint is over HTTPS and certificates are delivered from an internal PKI.

On both containers, the ca certificate bundle has been added in /usr/share/ca-certificates directory with name cabundle.crt followed by command update-ca-certificates.

If I do a openssl s_client from the registry container: I can see that the proper certificate is presented with the expected certificate chain. But I get the following message:

Verify return code: 21 (unable to verify the first certificate)

Even if I manually add the full ca chain certificate bundled in /etc/ssl/certs/ca-certificates.crt file, I still get that error.

Something that I could have missed here to “force” my registry container to trust the certificate of my notification endpoint?