diff --git a/weave b/weave
index c5bfa4148b..d210fd9a8f 100755
--- a/weave
+++ b/weave
@@ -96,15 +96,21 @@ usage() {
 }
 
 docker_sock_volume_mount() {
-  if [ -z "$DOCKER_HOST" ]; then
-      DOCKER_SOCK="/var/run/docker.sock"
-  elif echo "$DOCKER_HOST" | grep -q "^unix://" >/dev/null; then
+  if echo "$DOCKER_HOST" | grep -q "^unix://" >/dev/null; then
       DOCKER_SOCK="${DOCKER_HOST#unix://}"
+  else
+      DOCKER_SOCK="/var/run/docker.sock"
   fi
-  [ -z "$DOCKER_SOCK" ] || echo "-v $DOCKER_SOCK:$DOCKER_SOCK"
+  echo "-v $DOCKER_SOCK:$DOCKER_SOCK"
 }
 
 exec_remote() {
+    # Pass through DOCKER_HOST if it is a Unix socket;
+    # a TCP socket may be secured by TLS, in which case we can't use it
+    if echo "$DOCKER_HOST" | grep -q "^unix://" ; then
+        DOCKER_HOST_ARG="-e DOCKER_HOST"
+    fi
+
     docker $DOCKER_CLIENT_ARGS run --rm --privileged --net=host \
         $(docker_sock_volume_mount) \
         -v /proc:/hostproc \
@@ -121,7 +127,7 @@ exec_remote() {
         -e WEAVE_NO_FASTDP \
         -e WEAVE_NO_BRIDGED_FASTDP \
         -e WEAVE_NO_PLUGIN \
-        -e DOCKER_HOST \
+        $DOCKER_HOST_ARG \
         -e DOCKER_BRIDGE \
         -e DOCKER_CLIENT_HOST="$DOCKER_CLIENT_HOST" \
         -e DOCKER_CLIENT_ARGS \