Docker hosts that pull from a private registry
do so over https. The registry (web) server has to support both tls and ca-cert validation (though no specific version appears to be required) or it is classified as an "insecure registry". If the registry is identified as insecure in the config, no problem, otherwise you will be required to use the --insecure-registry switch with the pull
Configuration options relating to TLS
tls:
certificate: /path/to/x509/public
key: /path/to/x509/private
clientcas:
- /path/to/ca.pem
- /path/to/another/ca.pem
letsencrypt:
cachefile: /path/to/cache-file
email:
emailused@letsencrypt.com