@@ -40,8 +40,8 @@ func (cli *DockerCli) pullImageCustomOut(image string, out io.Writer) error {

 		return err

 	}

-	// Resolve the Auth config relevant for this server

-	encodedAuth, err := cli.encodeRegistryAuth(repoInfo.Index)

+	authConfig := cli.resolveAuthConfig(cli.configFile.AuthConfigs, repoInfo.Index)

+	encodedAuth, err := encodeAuthToBase64(authConfig)

 	if err != nil {

 		return err

 	}

@@ -54,7 +54,7 @@ func (cli *DockerCli) CmdPull(args ...string) error {

 		return err

 	}

-	authConfig := registry.ResolveAuthConfig(cli.configFile.AuthConfigs, repoInfo.Index)

+	authConfig := cli.resolveAuthConfig(cli.configFile.AuthConfigs, repoInfo.Index)

 	requestPrivilege := cli.registryAuthenticationPrivilegedFunc(repoInfo.Index, "pull")

 	if isTrusted() && !ref.HasDigest() {

@@ -42,7 +42,7 @@ func (cli *DockerCli) CmdPush(args ...string) error {

 		return err

 	}

 	// Resolve the Auth config relevant for this server

-	authConfig := registry.ResolveAuthConfig(cli.configFile.AuthConfigs, repoInfo.Index)

+	authConfig := cli.resolveAuthConfig(cli.configFile.AuthConfigs, repoInfo.Index)

 	requestPrivilege := cli.registryAuthenticationPrivilegedFunc(repoInfo.Index, "push")

 	if isTrusted() {

@@ -36,7 +36,7 @@ func (cli *DockerCli) CmdSearch(args ...string) error {

 		return err

 	}

-	authConfig := registry.ResolveAuthConfig(cli.configFile.AuthConfigs, indexInfo)

+	authConfig := cli.resolveAuthConfig(cli.configFile.AuthConfigs, indexInfo)

 	requestPrivilege := cli.registryAuthenticationPrivilegedFunc(indexInfo, "search")

 	encodedAuth, err := encodeAuthToBase64(authConfig)

@@ -234,7 +234,7 @@ func (cli *DockerCli) trustedReference(ref reference.NamedTagged) (reference.Can

 	}

 	// Resolve the Auth config relevant for this server

-	authConfig := registry.ResolveAuthConfig(cli.configFile.AuthConfigs, repoInfo.Index)

+	authConfig := cli.resolveAuthConfig(cli.configFile.AuthConfigs, repoInfo.Index)

 	notaryRepo, err := cli.getNotaryRepository(repoInfo, authConfig)

 	if err != nil {

@@ -7,6 +7,7 @@ import (

 	"os"

 	gosignal "os/signal"

 	"runtime"

+	"strings"

 	"time"

 	"github.com/Sirupsen/logrus"

@@ -154,3 +155,42 @@ func (cli *DockerCli) getTtySize() (int, int) {

 	}

 	return int(ws.Height), int(ws.Width)

 }

+

+// resolveAuthConfig is like registry.ResolveAuthConfig, but if using the

+// default index, it uses the default index name for the daemon's platform,

+// not the client's platform.

+func (cli *DockerCli) resolveAuthConfig(authConfigs map[string]types.AuthConfig, index *registrytypes.IndexInfo) types.AuthConfig {

+	configKey := index.Name

+	if index.Official {

+		configKey = cli.electAuthServer()

+	}

+

+	// First try the happy case

+	if c, found := authConfigs[configKey]; found || index.Official {

+		return c

+	}

+

+	convertToHostname := func(url string) string {

+		stripped := url

+		if strings.HasPrefix(url, "http://") {

+			stripped = strings.Replace(url, "http://", "", 1)

+		} else if strings.HasPrefix(url, "https://") {

+			stripped = strings.Replace(url, "https://", "", 1)

+		}

+

+		nameParts := strings.SplitN(stripped, "/", 2)

+

+		return nameParts[0]

+	}

+

+	// Maybe they have a legacy config file, we will iterate the keys converting

+	// them to the new format and testing

+	for registry, ac := range authConfigs {

+		if configKey == convertToHostname(registry) {

+			return ac

+		}

+	}

+

+	// When all else fails, return an empty auth config

+	return types.AuthConfig{}

+}