Docker registry login fails with "Certificate signed by unknown authority"

For cheap / lesser known certs like the COMODO or StartSSL ones, you need to add the entire certificate chain into the certificate file you are using with nginx. Many operating systems don't trust the intermediate CAs, just the root CA, so you need to fill in the missing steps between the certificate for your host and the root CA that is trusted by the OS.

In the e-mail you received your certificate with, you should also find links to the intermediate CAs and the root CA. Open the docker-registry.crt file, scroll to the bottom, and append the intermediate CAs and, finally, the root CA certificate for the PositiveSSL chain. Once you've done that, restart nginx. You should now be good to go.

For RHEL hosts, you can add the CA cert to the PKI CA list on the client host:

cp docker-registry.crt /etc/pki/ca-trust/source/anchors/docker-registry.crtupdate-ca-trustsystemctl restart docker

From https://www.happyassassin.net/2014/09/06/adding-your-freeipa-servers-ca-certificate-to-the-system-wide-trust-store-on-fedora-and-rhel/

If you are on mac, simply add the registry to the insecure-registries setting in ~/.docker/daemon.json:

{  "debug" : true,  "experimental" : true,  "registry-mirrors" : [],  "insecure-registries" : ["registry.your.domain.de"]}

In case you do a mistake somewhere (I forgot a comma in the JSON) some issues afterwards with starting up the docker daemon might arise. Namely any docker command throwing an Error response from daemon: Bad response from Docker engine. A few restarts and resets later that resolved itself.

(note this approach will permit the docker client to accept any certificate claiming to be for that domain, including forged certificates on spoofed registries, so should only be used for internal networks you control and if you are not concerned with spoofing or man-in-the-middle attacks)