Good news: it works.

Bad news: it works after spending a week or two on weird authentication issues, protocol mismatch and unsupported SSL certificates.

See for yourself. Once you get your nexus up and running and try to use it, here what happens:

  • How to configure default private registry

    Short answer: you can't .

    Long answer: the patch which allows to configure default registry host is rejected by Docker upstream.
    CentOS/RHEL carry this fix as a package-level patch but Debian doesn't

    OK, we start hardcoding the full hostname of a registry in every command.

  • docker search doesn't work

    Enable v1 api in the registry configuration in Nexus.

  • search works and shows the image, but pull of this image gives 404 error

    Error: image <image> not found

    Protocol version mismatch. Nexus bugtracker says --insecure-registry is not supported and we don't care.
    So we setup nginx in front of the Nexus registries which handles the SSL

  • search works, docker pull works, but docker login fails

    x509: certificate signed by unknown authority

    Explanation: We use SSL with custom CA and configured it at a docker level (put certificate in a /etc/docker/certs.d/ folder as documentation suggests) but docker login refers to system level certificate.
    Solution: add ca certificate to system certificates

    cp ca.crt /usr/local/share/ca-certificates
    service docker restart
  • search works, pull works, login works, push doesn't (I hate docker at this point)

    Error pushing to registry: Put /v2/.... : unsupported protocol scheme ""

    I still don't know how solve it with Debian standard docker package. The workaround is to install docker engine via docker-ce package provided by Docker itself:

So, with this updated package, search, pull, login and push seem to work. I hope that it is going to be enough for now.