docker pull tries to talk http to registry that only understands https

I have an ordinary ubuntu image with no dockerd installed, only the docker command line client and curl such that I can query a docker registry. I have set up tls security. I use a third container for the docker daemon (dind). The following works as expected.

curl https://myregistry/v2/_catalog # gets the infocurl http://myregistry/v2/_catalog  # fails as expected

So I expect that docker can pull from the registry via https. Unfortunately my docker client only tries http, which of course fails.

docker pull myregistry/myimageUsing default tag: latestError response from daemon: Client sent an HTTP request to an HTTPS server.

My question is how to tell docker pull to use https instead of http? All posts I found so far describe the opposite problem where docker talks https to an http registry.

I assume that my certificates are correct, because otherwise curl would have failed with both http and https.

UpdateOne error was as BMich pointed out, that in myregistry/image the myregistry is a namespace and not my hostname. So I renamed it to my.hub. The dot in between makes this a hostname.

I have not set insecure registry on any os or container and also not in any config.toml of a gitlab-runner.

Minimal Reproducible ExampleI have added following hosts to /etc/hosts: myregistry, dind, client1, client2.

#!/bin/bashdocker stop my.hub dind client1 client2docker rm my.hub dind client1 client2sudo rm -rf volumesCURRENT=${PWD}HUB_DIR=${PWD}/volumes/my.hubDIND_DIR=${PWD}/volumes/dindsudo rm -rf $CURRENT/volumesmkdir -p $CURRENT/camkdir -p $HUB_DIR/certsmkdir -p $DIND_DIR/certs/camkdir -p $DIND_DIR/certs/clientmkdir -p $DIND_DIR/certs/servermkdir -p $DIND_DIR/etc/docker/certs.d/my.hubmkdir -p $DIND_DIR/etc/docker/certs.d/my.hub:443mkdir -p $DIND_DIR/usr/local/share/ca-certificates# CA Key/Certificate key.pem and cert.pemcd $CURRENT/caopenssl genrsa -out key.pem 2048openssl req -x509 -days 365 -new -nodes -key key.pem \    -subj "/C=UK/ST=Sussex/L=London/O=Moiself/OU=Sofa/CN=myregistry" \    -sha256 -out cert.pem# my.hub key/cert paircd $HUB_DIR/certsopenssl genrsa -out key.pem 2048openssl req -new -key key.pem -out csr.pem \    -subj "/C=UK/ST=Sussex/L=London/O=Moiself/OU=Sofa/CN=myregistry" \    -addext "subjectAltName=DNS:my.hub,DNS:localhost"openssl x509 -req -days 365 -sha256 -in csr.pem  \    -CA $CURRENT/ca/cert.pem -CAkey $CURRENT/ca/key.pem \    -CAcreateserial -out cert.pem \    -extfile <(printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment\nsubjectAltName=DNS:my.hub,DNS:localhost")cd $CURRENTcp $CURRENT/ca/cert.pem    $DIND_DIR/certs/client/ca.pemcp $CURRENT/ca/cert.pem    $DIND_DIR/certs/ca/cert.pemcp $CURRENT/ca/key.pem     $DIND_DIR/certs/ca/key.pemcp $CURRENT/ca/cert.pem    $DIND_DIR/usr/local/share/ca-certificates/ca.crtcp $HUB_DIR/certs/cert.pem $DIND_DIR/etc/docker/certs.d/my.hub/ca.crtsudo chown -R root volumesdocker run -d -it --network some-network --ip 172.18.0.2 -e REGISTRY_HTTP_ADDR=0.0.0.0:443  \    -e REGISTRY_HTTP_TLS_KEY=/certs/key.pem -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert.pem \    -v $HUB_DIR/certs:/certs:ro --name my.hub --hostname my.hub registry:2docker run -d -it --privileged --network some-network --ip 172.18.0.3 --network-alias docker \    -e DOCKER_TLS_CERTDIR=/certs  \    -v $DIND_DIR/etc/docker/certs.d:/etc/docker/certs.d:ro \    -v $DIND_DIR/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro  \    -v $DIND_DIR/certs/client:/certs/client  \    -v $DIND_DIR/certs/ca:/certs/ca  \    -v $DIND_DIR/certs/server:/certs/server \    --name dind --hostname dind docker:dind  \    sh -c "dockerd-entrypoint.sh --iptables=false && tail -f /dev/null"sleep 3docker exec -it dind apk updatedocker exec -it dind apk add curldocker exec -it dind /usr/sbin/update-ca-certificatesdocker exec -it dind docker pull alpine:latestdocker exec -it dind docker tag alpine:latest my.hub/alpine2docker exec -it dind docker push my.hub/alpine2docker exec -it dind curl https://my.hub/v2/_catalogdocker exec -it dind docker imagessudo rm -rf $DIND_DIR/certs/client2sudo cp -r  $DIND_DIR/certs/client $DIND_DIR/certs/client2cp $DIND_DIR/certs/client/cert.pem $DIND_DIR/etc/docker/certs.d/dind/ca.crtdocker run  -d -it --network some-network --ip 172.18.0.4 \    -e DOCKER_HOST=tcp://dind:2376 \    -e DOCKER_TLS_CERTDIR=/certs \    -v $DIND_DIR/certs/client2:/certs:ro \    -v $DIND_DIR/etc/docker/certs.d:/etc/docker/certs.d:ro \    -v $DIND_DIR/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro  \    --name client1  --hostname client1 docker:24.0.0-beta.1-cli-alpine3.17sleep 3docker exec -it client1 apk updatedocker exec -it client1 apk add curldocker exec -it client1 /usr/sbin/update-ca-certificatesdocker exec -it client1 docker pull alpine:latest;              # Sending HTTP errordocker exec -it client1 docker tag alpine:latest my.hub/alpine3 # Sending HTTP errordocker exec -it client1 docker push my.hub/alpine3              # Sending HTTP errordocker exec -it client1 curl https://my.hub/v2/_catalogdocker exec -it client1 docker images                           # Sending HTTP errordocker run  -d -it --network some-network  --ip 172.18.0.5  \    -e DOCKER_HOST=tcp://dind:2376  \    -e DOCKER_TLS_CERTDIR=/certs \    -v $DIND_DIR/etc/docker/certs.d:/etc/docker/certs.d:ro \    -v $DIND_DIR/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro  \    --name client2  --hostname client2 localci-ubuntu-gccsleep 3docker exec -it client2 apt updatedocker exec -it client2 /usr/sbin/update-ca-certificatesdocker exec -it client2 docker pull alpine:latest               # Sending HTTP errordocker exec -it client2 docker tag alpine:latest my.hub/alpine4 # Sending HTTP errordocker exec -it client2 docker push my.hub/alpine4              # Sending HTTP errordocker exec -it client2 curl https://my.hub/v2/_catalogdocker exec -it client2 docker images                           # Sending HTTP error