External container registry: enable to get local issuer certificate


I create a small infrascture for DevOps on private network with Gitlab running in docker container (gitlab-ce), gitlab runner and an external container registry.

I have a Wildcard SSL certificate provide by a private CA authority (interpreted as self signed certificate by Gitlab).

I use Gitlab as an auth endpoint: can login and push images on container registry.

I setup an external nginx container to redirect to my domains (gitlab and the external container registry).

All of containers have the SSL certificate and the private key if needed.

I also add the cert to /etc/gitlab/trusted-certs refer to this section in the documentation.


When I try to visit the container registry feature via Gitlab web interface, i get a “Docker connection error”. Logs in the GitLab container refers to this error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

I also observed that when i try to remove a group containing projects (didn’t try with empty group), the group cannot be removed due to this same error.

gitlab.rb config:

gitlab_rails[‘gitlab_shell_ssh_port’] = ‘2202’
external_url ‘https://gitlab.example.com
letsencrypt[‘enable’] = false
gitlab_rails[‘registry_enabled’] = true
gitlab_rails[‘registry_host’] = “registry-gitlab.example.com
gitlab_rails[‘registry_port’] = “443”
gitlab_rails[‘registry_api_url’] = “https://registry-gitlab.example.com
gitlab_rails[‘registry_issuer’] = “gitlab-issuer”
registry[‘internal_key’] = “-----BEGIN RSA PRIVATE KEY-----*****\n-----END RSA PRIVATE KEY-----” gitlab_rails[‘registry_key_path’] = “/etc/gitlab/ssl/registry.key”

Thank you