Include troubleshooting docker invalid token

Add a section on troubleshooting mismatching certificate key pairs, used
to encrypt the connection between Registry and GitLab.

doc/administration/packages/container_registry.md

@@ -1063,6 +1063,70 @@ encounter this error.
 Administrators can increase the token duration in **Admin area > Settings >
 CI/CD > Container Registry > Authorization token duration (minutes)**.
 
+### Docker login attempt fails with: 'token signed by untrusted key'
+
+[Registry relies on GitLab to validate credentials](https://docs.gitlab.com/omnibus/architecture/registry/).
+If the registry fails to authenticate valid login attempts, you get the following error message:
+
+```shell
+# docker login gitlab.company.com:4567
+Username: user
+Password: 
+Error response from daemon: login attempt to https://gitlab.company.com:4567/v2/ failed with status: 401 Unauthorized
+```
+
+And more specifically, this appears in the `/var/log/gitlab/registry/current` log file:
+
+```plaintext
+level=info msg="token signed by untrusted key with ID: "TOKE:NL6Q:7PW6:EXAM:PLET:OKEN:BG27:RCIB:D2S3:EXAM:PLET:OKEN"" 
+level=warning msg="error authorizing context: invalid token" go.version=go1.12.7 http.request.host="gitlab.company.com:4567" http.request.id=74613829-2655-4f96-8991-1c9fe33869b8 http.request.method=GET http.request.remoteaddr=10.72.11.20 http.request.uri="/v2/" http.request.useragent="docker/19.03.2 go/go1.12.8 git-commit/6a30dfc kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.2 \(linux\))" 
+```
+
+GitLab uses the contents of the certificate key pair's two sides to encrypt the authentication token
+for the Registry. This message means that those contents do not align.
+
+Check which files are in use:
+
+- `grep -A6 'auth:' /var/opt/gitlab/registry/config.yml`
+
+  ```yaml
+  ## Container Registry Certificate
+     auth:
+       token:
+         realm: https://gitlab.my.net/jwt/auth
+         service: container_registry
+         issuer: omnibus-gitlab-issuer
+    -->  rootcertbundle: /var/opt/gitlab/registry/gitlab-registry.crt
+         autoredirect: false
+  ```
+
+- `grep -A9 'Container Registry' /var/opt/gitlab/gitlab-rails/etc/gitlab.yml`
+
+  ```yaml
+  ## Container Registry Key
+     registry:
+       enabled: true
+       host: gitlab.company.com
+       port: 4567
+       api_url: http://127.0.0.1:5000 # internal address to the registry, will be used by GitLab to directly communicate with API
+       path: /var/opt/gitlab/gitlab-rails/shared/registry
+  -->  key: /var/opt/gitlab/gitlab-rails/etc/gitlab-registry.key
+       issuer: omnibus-gitlab-issuer
+       notification_secret:
+  ```
+
+The output of these `openssl` commands should match, proving that the cert-key pair is a match:
+
+```shell
+openssl x509 -noout -modulus -in /var/opt/gitlab/registry/gitlab-registry.crt | openssl sha256
+openssl rsa -noout -modulus -in /var/opt/gitlab/gitlab-rails/etc/gitlab-registry.key | openssl sha256
+```
+
+If the two pieces of the certificate do not align, remove the files and run `gitlab-ctl reconfigure`
+to regenerate the pair. If you have overridden the automatically generated self-signed pair with
+your own certificates and have made sure that their contents align, you can delete the 'registry'
+section in your `/etc/gitlab/gitlab-secrets.json` and run `gitlab-ctl reconfigure`.
+
 ### AWS S3 with the GitLab registry error when pushing large images
 
 When using AWS S3 with the GitLab registry, an error may occur when pushing