Watchtower fails to pull image from private registry with self-signed certificate (x509: certificate signed by unknown authority)

[dpanic]

Hi team,

I'm running Watchtower with access to the Docker socket (/var/run/docker.sock) and trying to pull images from a private GitLab registry secured with a self-signed certificate (gitlab.lan:5005).

Despite mounting the correct certs and seeing debug logs like this:

Built challenge URL" URL="https://gitlab.lan:5005/v2/"
Reason: Get "https://gitlab.lan:5005/v2/": x509: certificate signed by unknown authority

…the image pull still fails.

Here's what I’ve done so far:

• Copied gitlab.lan.crt to /etc/docker/certs.d/gitlab.lan_5005/ca.crt on the host.
• Mounted it into the container like this:

- /etc/docker/certs.d/gitlab.lan_5005:/etc/docker/certs.d/gitlab.lan:5005

• Verified that inside the container, /etc/docker/certs.d/gitlab.lan:5005/ca.crt exists and is readable.
• I’m not using remote Docker over TLS, just the local socket.
• I'm not using DOCKER_HOST, DOCKER_CERT_PATH, or --tlsverify.
• Restarted Docker and Watchtower after updating the certs.

Question:

• Is there anything else required for Watchtower's internal Docker client to trust the registry cert?
• Should I manually run update-ca-certificates inside the container, or is there a better way to inject CA trust?
• Is there any limitation where Watchtower ignores /etc/docker/certs.d?

Thanks!