In this days I faced with an issue on a EC2 with Amazon Linux related to a CA Root.
Was impossible execute docker pull from our private registry, the error appear was: x509: certificate signed by unknown authority.

The Certificate Authority used by registry was recently changed and wasn't trusted by os.
Solution has been to add the CA Root inside /etc/pki/ca-trust/source/anchors/ then run update-ca-trust and all worked after Docker restarting.

Lesson learned: Choose carefully your next CA.