This Dockerfile will add your Jenkins master's self-signed SSL certificate to the Java CA trust store, so that the Jenkins slave JNLP client will happily register itself.
docker build -t jenkins-jnlp-slave --build-arg JENKINS_HOST=jenkins.example.com .FROM jenkinsci/jnlp-slave
ARG JENKINS_HOST
ARG JENKINS_PORT=443
USER root
RUN /bin/bash -xv -c 'keytool -noprompt -importcert -alias local-CA \
-keystore "$(find /usr -path '*/lib/security/cacerts')" \
-storepass changeit \
-file <(openssl \
s_client -showcerts -connect \
"${JENKINS_HOST:-jenkins}:${JENKINS_PORT:-443}" \
</dev/null 2>/dev/null \
| openssl x509 -outform der)'
USER jenkins