gitlab runner can't connect to registry "x509: certificate is valid for ..., not ..."

docker login fails with:

Error response from daemon: Get https://container-registry.mydomain.com/v1/users/: x509: certificate is valid for gitlab.mydomain.com, not container-registry.mydomain.com

Here CI_REGISTRY=container-registry.mydomain.com

image: docker:latest

stages:
  - build
  - upload

build:
  stage: build
  script:
    - docker build -t $CI_REGISTRY_IMAGE/foo:latest .

upload:
  stage: upload
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker push $CI_REGISTRY_IMAGE/foo:latest
    - docker logout $CI_REGISTRY

container-registry.mydomain.com and gitlab.mydomain.com are on the same host, separate host from where the runner runs. Docker socket is mounted into the runner as docker:dind service could not deal with my custom ca.crt. Now some cert resolution works at least, but for some weird reason docker login tries to talk to gitlab rather than registry.

If I instead try to login to the registry from my laptop with the same command, same docker version, docker login container-registry.mydomain.com, it works like a charm. If I resolve container-registry.mydomain.com in the runner it points to the correct address. If I curl container-registry.mydomain.com, it will say "Server certificate: container-registry.mydomain.com" and "Server certificate: mydomain.com". What's going on?

• Docker version: 17.03.1-ce
• Gitlab version: 9.0.5-ce.0
• Runner version: 1.11.1