diff --git a/src/docker.js b/src/docker.js
index aa10b70af..fb762dae8 100644
--- a/src/docker.js
+++ b/src/docker.js
@@ -51,6 +51,8 @@ const apps = require('./apps.js'),
 
 const gConnection = new Docker({ socketPath: paths.DOCKER_SOCKET_PATH });
 
+const CLOUDRON_REGISTRIES = [ 'registry.docker.com', 'registry.ipv4.docker.com', 'quay.io' ]; // order determines priority and is important!
+
 function parseImageRef(imageRef) {
     assert.strictEqual(typeof imageRef, 'string');
 
@@ -90,14 +92,14 @@ async function getAuthConfig(imageRef) {
     const parsedRef = parseImageRef(imageRef);
 
     // images in our cloudron namespace are always unauthenticated to not interfere with any user limits
-    if (parsedRef.registry === null && parsedRef.fullRepositoryName.startsWith('cloudron/')) return null;
+    if ((parsedRef.registry === null || CLOUDRON_REGISTRIES.includes(parsedRef.registry)) && parsedRef.fullRepositoryName.startsWith('cloudron/')) return null;
 
     const registries = await dockerRegistries.list();
 
     for (const registry of registries) {
         if (registry.serverAddress !== parsedRef.registry) { // ideally they match but there's too many docker registry domains!
             if (!registry.serverAddress.includes('.docker.')) continue;
-            if (parsedRef.registry !== null && !parsedRef.includes('.docker.')) continue;
+            if (parsedRef.registry !== null && !parsedRef.registry.includes('.docker.')) continue;
         }
 
         // https://github.com/apocas/dockerode#pull-from-private-repos
@@ -175,14 +177,14 @@ async function downloadImage(manifest) {
 
         // docker hub only uses first 64 bits for ipv6 addressing. this causes many ipv6 rate limit errors
         // https://www.docker.com/blog/beta-ipv6-support-on-docker-hub-registry/ . as a hack, we try ipv4 explicity
-        let upstreamRef = null;
-        for (const registry of [ 'registry.docker.com', 'registry.ipv4.docker.com', 'quay.io' ]) {
+        let upstreamRef = null, pullError = null;
+        for (const registry of CLOUDRON_REGISTRIES) {
             upstreamRef = `${registry}/${manifest.dockerImage}`;
-            const [pullError] = await safe(pullImage(upstreamRef));
+            [pullError] = await safe(pullImage(upstreamRef));
             if (!pullError) break;
         }
 
-        if (!upstreamRef) throw new BoxError(BoxError.DOCKER_ERROR, `Unable to pull image ${manifest.dockerImage} from dockerhub or quay`);
+        if (pullError || !upstreamRef) throw new BoxError(BoxError.DOCKER_ERROR, `Unable to pull ${manifest.dockerImage} from dockerhub or quay: ${pullError?.message}`);
 
         // retag the downloaded image to not have the registry name. this prevents 'docker run' from redownloading it
         debug(`downloadImage: tagging ${upstreamRef} as ${parsedManifestRef.fullRepositoryName}:${parsedManifestRef.tag}`);