Container Registry

I am trying setup container registry, but gitlab not authorized docker requests.

I am using Gitlab CE 8.8.2.

docker -v # Docker version 1.11.1, build 5604cbe

registry docker-compose.yml:

version: '2'
services:
  registry:
    restart: always
    image: 'registry:2'
    ports:
      - '5000:5000'
    volumes:
      - ./data:/var/lib/registry
      - ./certs:/certs
      - ./auth:/auth
      - ./config.yml:/etc/docker/registry/config.yml

registry config.yml file:

version: 0.1
loglevel: debug
http:
  addr: 0.0.0.0:5000
  secret: ahm1Oax4mecoothooCaiPhaeghoora5uchaexuaw
  tls:
    certificate: /certs/fullchain.pem
    key: /certs/privkey.pem
storage:
  filesystem:
    rootdirectory: /var/lib/registry
  delete:
    enabled: true
auth:
  token:
    realm: https://gitlab.example.com/api/v3/auth/token
    service: registry.example.com
    issuer: gitlab-issuer
    rootcertbundle: /certs/fullchain.pem

Part of config/gitlab.yml

  registry:
    enabled: true
    host: registry.example.com
    port: 5000
    api_url: http://localhost:5000/
    key_path: /home/git/registry/certs/privkey.pem
    path: /home/git/registry/certs/data
    issuer: gitlab-issuer

when i do docker login registry.example.com:

in gitlab access logs:

178.151.162.253 - NAME [27/May/2016:02:35:57 +0300] "GET /api/v3/auth/token?account=NAME&client_id=docker&offline_token=true&service=registry.example.com HTTP/1.1" 302 110 "-" "docker/1.11.1 go/go1.5.4 git-commit/5604cbe kernel/4.4.8-boot2docker os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.1 \x5C(darwin\x5C))"
178.151.162.253 - - [27/May/2016:02:35:57 +0300] "GET /users/sign_in HTTP/1.1" 200 6659 "https://gitlab.example.com/api/v3/auth/token?account=NAME&client_id=docker&offline_token=true&service=registry.example.com" "docker/1.11.1 go/go1.5.4 git-commit/5604cbe kernel/4.4.8-boot2docker os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.1 \x5C(darwin\x5C))"

in registry logs:

registry_1  | time="2016-05-26T23:44:15Z" level=debug msg="authorizing request" go.version=go1.6.2 http.request.host="registry.example.com:5000" http.request.id=99e4a01b-5bbd-4080-b510-b50d4a2f200e http.request.method=GET http.request.remoteaddr="178.151.162.253:59225" http.request.uri="/v2/" http.request.useragent="curl/7.43.0" instance.id=ad1510f5-bc9a-4a25-8ce1-2381f4fe2a36 version=v2.4.1
registry_1  | time="2016-05-26T23:44:15Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.6.2 http.request.host="registry.example.com:5000" http.request.id=99e4a01b-5bbd-4080-b510-b50d4a2f200e http.request.method=GET http.request.remoteaddr="178.151.162.253:59225" http.request.uri="/v2/" http.request.useragent="curl/7.43.0" instance.id=ad1510f5-bc9a-4a25-8ce1-2381f4fe2a36 version=v2.4.1

What i am doing wrong?