CI involving LFS not working due to unknown CA

I have a self-hosted Gitlab instance (16.0.5) and a runner (alpine3.15-v16.0.3), both running with Docker.

I encounter a problem when the repository involves LFS (I have a Minio instance), during checkout.
The error encountered looks like LFS: Get https... certificate signed by unknown authority.

My problem seems to be described in the documentation, it would be the helper image that doesn’t have the required CA file.

As documented, I have tried to :

  • add a volume in config.toml for the CA ;
  • create my own helper image from the official one, integrating the CA directly with updates-ca-certificates.

I also tried to :

  • create my own runner image from the official one, directly integrating the CA with update-ca-certificates ;
  • use ubuntu flavour instead of alpine.

When I activate debugging on the runners, I see that a file containing the CA is created and its path exported to the CI_SERVER_TLS_CA_FILE environment variable. Its contents seem to be correct.

I’ve found a workaround which consists in performing the checkout in the user image, with the GIT_CHECKOUT: “false” and GIT_STRATEGY: “clone” variables, since I’m using custom images that integrate the CA. I’m not pleased with this workaround.

Am I missing something?