docker daemon reports 'tls: unconfigured cipher suite' for Nginx reverse proxy of Artifactory Docker registry

I am migrating to Artifactory on RHEL8 as a Docker remote repository, i.e. Artifactory is a proxy for a docker registry hosted through Jfrog.io.

We have a legacy registry with config in /etc/docker/certs.d/. Another instance works fine without that config.

There is no proxy between the docker client and the Nginx, which runs on the same host as Artifactory (so this does not apply).

The docker client uses TLSv1.2 to connect.

In Nginx I configured:

ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

nmap --script ssl-enum-ciphers -p 443 localhostStarting Nmap 7.70 ( https://nmap.org ) at 2023-11-10 19:52 CETNmap scan report for localhost (127.0.0.1)Host is up (0.000073s latency).Other addresses for localhost (not scanned): ::1PORT    STATE SERVICE443/tcp open  https| ssl-enum-ciphers:|   TLSv1.2:|     ciphers:|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A|     compressors:|       NULL|     cipher preference: server|     warnings:|       Key exchange (ecdh_x25519) of lower strength than certificate key|_  least strength: A

When I try docker login I get this error:

Error response from daemon: Get "https://my-docker-registry/v2/": tls: server chose an unconfigured cipher suite

docker_version: docker-ce-24.0.7-1.el8.x86_64

Reconfiguring crypto-policies to DEFAULT, and lowering Nginx to server over TLSv1.1 & TLSv1.2 did not help. Should Docker have a particular config to enable TLS? Or should Nginx be configured in a particular way?