..

Docker Registry with Self-Signed Certificate

$ mkdir certs
$ openssl req \
		-newkey rsa:4096 
		-nodes \
		-sha256 \
		-keyout certs/domain.key \
		-x509 \
		-days 365 \
		-out certs/domain.crt
$ docker secret create domain.crt certs/domain.crt
$ docker secret create domain.key certs/domain.key
$ docker secret ls
ID                          NAME                DRIVER              CREATED             UPDATED
108vdrp0wpa7sl2b99gvqp2gd   domain.crt                              4 days ago          4 days ago
rjx8c7h8j0k2yb19dxae25nji   domain.key                              4 days ago          4 days ago
$ docker service create --name registry \
		--secret domain.crt \
		--secret domain.key \
		--constraint 'node.labels.registry==true' \
		--mount type=bind,src=/mnt/registry,dst=/var/lib/registry \
		-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
		-e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/domain.crt \
		-e REGISTRY_HTTP_TLS_KEY=/run/secrets/domain.key \
		--publish published=443,target=443 \
		--replicas 1 registry:2

On all Docker daemon, do the following:

$ sudo mv domain.crt /etc/docker/certs.d/registry.bampi.net/ca.crt
$ sudo chown root.root /etc/docker/certs.d/registry.bampi.net/ca.crt
$ sudo systemctl restart docker.service

If you have pure Docker client environment, please also trust the certificate at the OS level. Following will use CentOS 6.9 as example:

$ sudo cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
$ sudo update-ca-trust

References