The quay builder uses the host's docker socket to issue docker commands, such as the docker push at the end of a build.
If you are using TLS for Quay Enterprise, it is necessary to not only provide the CA to the builder, but also to place the root CA in a docker directory : /etc/docker/certs.d/$REGISTRY/ca.crt , where $REGISTRY is the host used to login to your local Quay registry. If you are accessing the registry without DNS, the IP can be used as the folder name.
Note that the CA must be named ca.crt in order for Docker to use it.
Once the cert is in place, restart the docker daemon with systemctl restart docker.service.