Docker runner fails with SSL certificate problem: unable to get local issuer certificate

I am running the latest build of community edition on premise (omnibus). After updating the system certificate and certificate chain, confirmed by running “trust list” and I saw my new cert.
My docker runner fails to execute below is job log. I am puzzled as how to fix this. I inserted the following in my config.toml file pre_clone_script = “cat $CI_SERVER_TLS_CA_FILE”. and could see my three certificates as well but the runner still failed. I also while logged in as gitlab-runner user did git config --system http.sslBackend openssl and the command git config --global http.sslBackend openssl with now luck

Any suggestions would be helpful.

Running with gitlab-runner 16.9.0 (656c1943)
on Runner Docker H25TUjgr, system ID: s_896eaf1eb12a
Preparing the “docker” executor
Using Docker executor with image Google Cloud console
WARNING: Container based cache volumes creation is disabled. Will not create volume for “/cache”
Pulling docker image Google Cloud console
Using docker image sha256:bef927a740ec35742ba0ce7c4f6c757a8f769bf457eac92acef4ca337400cfde for Google Cloud console with digest Google Cloud console
Preparing environment
Running on runner-h25tujgr-project-223-concurrent-0 via
Getting source from Git repository
Fetching changes with git depth set to 50…
Initialized empty Git repository in /builds/ventures/orbital-stack/back-end/.git/
Created fresh repository.
fatal: unable to access ‘’: SSL certificate problem: unable to get local issuer certificate
Cleaning up project directory and file based variables
ERROR: Job failed: exit code 1


Please check out official docs. Normally, installing your root CA’s certificate, as well as any intermediates directly on your VM where the Runner is running should solve the issue:

Default - Read the system certificate: GitLab Runner reads the system certificate store and verifies the GitLab server against the certificate authorities (CA) stored in the system.

1 Like

thats what I thought, and hence why I verified my system list with the command “trust list”.
what else could I try to debug this.

it turns out the user had a custom CI/CD setting for the project (GIT_SSL_CAINFO) which contained an expired certificate. Once I update that with the new cert everything worked…