Private docker registry works in curl, but not in docker: x509: certificate signed by unknown authority

Question

I followed the docker manuals for setting up a private registry, and acquired a Let's Encrypt certificate. This is my docker-compose.yml:

version: '2'
services:
  registry:
    restart: always
    image: registry:2.3.1
    ports:
      - 5000:5000
    environment:
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/live/git.xxxx.com/fullchain.pem
      REGISTRY_HTTP_TLS_KEY: /certs/live/git.xxxx.com/privkey.pem
      REGISTRY_AUTH: htpasswd
      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
    volumes:
      - ./data:/var/lib/registry
      - /etc/letsencrypt:/certs
      - ./auth:/auth 

This is my curl command and result:

curl https://git.xxxx.com:5000/v2/
<htpassword auth succeeds>
{}

Also Chrome/Firefox are green and can reach this without cert errors. But docker login keeps failing.

docker login https://git.xxxx.com:5000/v2/
Username: raarts
Password:
Email:
Error response from daemon: invalid registry endpoint https://git.xxxx.com:5000/v2/: Get https://git.xxxx.com:5000/v2/: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry git.xxxx.com:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/git.xxxx.com:5000/ca.crt

Using docker 1.10.3

Answer 1

I fixed the problem. And it's embarrassing. I'd rather not talk about it if it weren't for the stupid and confusing error message I got.

I had on my own laptop pointed git.xxxx.com to another ip. So docker could not actually reach the registry server, connections were refused.

But the error message I got really pointed me in the wrong direction and cost me several hours of my time.