Configuring GitLab CI/CD for Docker with Self-signed cert gives x509: certificate signed by unknown authority

Hi I’m trying to get Docker CI?CD images built using GitLab 13.4.3-ee (fd96f779e9d). There seem to be a few posts that talk about this but none I can see that deal with self-signed certificates.

I’ve managed to install and configure Docker/Registry on the GitLab server we host on my private network (can’t use LetsEncrypt).

I’m now seeing “Container Registry” available under the “Packages & Registries” project folder.

I have configured the registry to listen on 5005 (–> 5000 in the container) and can login on the GitLab host directly to the registry.

# docker login mygilab.local:5005
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

However when I try it using the command given by GitLab I receive

Error response from daemon: Get https://mygitlab.local:5050/v2/: x509: certificate signed by unknown authority

I am using a self-signed certificate and have configured the following variables in gitlab.rb

registry_external_url 'https://mygitlab.local:5050'
nginx['ssl_certificate'] = "/etc/gitlab/ssl/mygitlab.local.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/mygitlab.local.key"
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/mygitlab.local.crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/mygitlab.local.key"

For anyone else that finds this, I finally realised that I needed to tell the docker client to trust the same key on the other port. Ultimately I created a copy of the cert in /etc/gitlab/ssl/mygilabhost.cert to ca.cert in the following directories:

/etc/docker/certs.d/mygitlabhost:5005/ca.cert
/etc/docker/certs.d/mygitlabhost:5050/ca.cert

Then I was able to do docker login using GitLab credentials and it worked.

1 Like