How to setup omnibus installation to use an external Docker registry?

I have read both of these guides:

• https://docs.gitlab.com/ee/administration/container_registry.html#configure-container-registry-under-its-own-domain
• https://github.com/sameersbn/docker-gitlab/blob/master/docs/container_registry.md

I have generated self-sign key/ certificate:

# On the gitlab server
mkdir /etc/gitlab/registry-certs
cd /etc/gitlab/registry-certs
openssl req -nodes -newkey rsa:4096 -keyout registry-auth.key -out registry-auth.csr -subj "/CN=gitlab-issuer"
openssl x509 -in registry-auth.csr -out registry-auth.crt -req -signkey registry-auth.key -days 3650

# On the registry
mkdir -p /etc/gitlab/registry-certs

root@registry.anuary.com:/etc/gitlab/registry-certs/registry-auth.crt /etc/gitlab/registry-certs/registry-auth.crt

I have started Docker registry:

docker run --rm -it -p 443:5000 --name registry \
  -v /var/docker-registry-data:/var/lib/registry \
  -v /var/docker-registry-certs:/certs \
  -v /etc/gitlab/registry-certs:/etc/gitlab/registry-certs \
  -e REGISTRY_AUTH_TOKEN_REALM=https://git.anuary.com/jwt/auth \
  -e REGISTRY_AUTH_TOKEN_SERVICE=container_registry \
  -e REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer \
  -e REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/etc/gitlab/registry-certs/registry-auth.crt \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem \
  -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem \
  --name docker-registry \
  registry:2

I have configured gitlab.rb with:

gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_api_url'] = "https://registry.anuary.com/"
gitlab_rails['registry_key_path'] = "/etc/gitlab/registry-certs/registry-auth.key"
gitlab_rails['registry_issuer'] = "gitlab-issuer"

I have restarted gitlab:

gitlab-ctl reconfigure && gitlab-ctl restart

Finally, I have tried to login to the registry:

docker login registry.anuary.com -u my-gitlab-user -p my-gitlab-password

Here is what /var/log/gitlab-rails/production.log logs:

Started POST "/ci/api/v1/builds/register.json" for 51.15.38.176 at 2016-12-18 20:49:59 +0000
Started POST "/ci/api/v1/builds/register.json" for 51.15.38.176 at 2016-12-18 20:50:02 +0000
Scheduling removal of build artifacts
Started POST "/ci/api/v1/builds/register.json" for 51.15.38.176 at 2016-12-18 20:50:05 +0000
Started POST "/ci/api/v1/builds/register.json" for 51.15.38.176 at 2016-12-18 20:50:08 +0000
Started POST "/ci/api/v1/builds/register.json" for 51.15.38.176 at 2016-12-18 20:50:11 +0000
Started GET "/jwt/auth?account=gajus&client_id=docker&offline_token=true&service=container_registry" for 80.1.99.46 at 2016-12-18 20:50:12 +0000
Processing by JwtController#auth as HTML
  Parameters: {"account"=>"gajus", "client_id"=>"docker", "offline_token"=>"true", "service"=>"container_registry"}
Completed 200 OK in 429ms (Views: 1.0ms | ActiveRecord: 12.1ms)
Started POST "/ci/api/v1/builds/register.json" for 51.15.38.176 at 2016-12-18 20:50:14 +0000
Started POST "/ci/api/v1/builds/register.json" for 51.15.38.176 at 2016-12-18 20:50:17 +0000

Here is what docker registry container logs:

WARN[0363] error authorizing context: authorization token required  go.version=go1.6.3 http.request.host=registry.anuary.com http.request.id=3c56e7e4-7c6d-4e84-b735-62cdfcd2fa72 http.request.method=GET http.request.remoteaddr=80.1.99.46:56275 http.request.uri=/v2/ http.request.useragent=docker/1.12.3 go/go1.6.3 git-commit/6b644ec kernel/4.4.27-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.3 \(darwin\)) instance.id=dd3d1a23-8c28-4e6b-aab3-a5695f720876 version=v2.5.1
80.1.99.46 - - [18/Dec/2016:20:51:56 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.12.3 go/go1.6.3 git-commit/6b644ec kernel/4.4.27-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.3 \\(darwin\\))"
ERRO[0364] token signed by untrusted key with ID: "7K7M:VDNO:YAOL:X4ST:E2XK:HYLF:ROY4:7L7L:SCLH:46TJ:W3LZ:FJCH"
WARN[0364] error authorizing context: invalid token      go.version=go1.6.3 http.request.host=registry.anuary.com http.request.id=7249b5f2-83ab-4af0-96b2-0481fa680c01 http.request.method=GET http.request.remoteaddr=80.1.99.46:56277 http.request.uri=/v2/ http.request.useragent=docker/1.12.3 go/go1.6.3 git-commit/6b644ec kernel/4.4.27-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.3 \(darwin\)) instance.id=dd3d1a23-8c28-4e6b-aab3-a5695f720876 version=v2.5.1
80.1.99.46 - - [18/Dec/2016:20:51:57 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.12.3 go/go1.6.3 git-commit/6b644ec kernel/4.4.27-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.3 \\(darwin\\))"

Note the error:

ERRO[0364] token signed by untrusted key with ID

What am I doing wrong?

---

Ticket: https://gitlab.zendesk.com/agent/tickets/53781