[gitlab 12.1.3-ee on-premise] creating push check transport for gitlab... x509: certificate signed by unknown authority

Hi all

I am currently running a proof of concept based on GitLab EE running internally (not the hosted platform) - Ubuntu 18.04.

I am trying to use a self signed certificate / ca with GitLab Runner (running as a docker container) but I can’t for the life of me get it to work, I am probably missing something obvious.

This is what I have done:

  1. Copied the gitlab.xyz.com.crt to /usr/local/share/ca-certificates/
  2. Ran update-ca-certificates --fresh
  3. Checked the CA is now in /etc/ssl/certs/ca-certificates.crt (which it is)
  4. Created and registered GitLab Runner (via docker container), registration worked fine against the GitLab HTTPS url.
    5.Copied the gitlab.xyz.com.crt to /srv/gitlab-runner/config/certs/
  5. Restarted docker

Command to create the GitLab Runner in docker:

docker run -d --name gitlab-runner --restart always -v /srv/gitlab-runner/config:/etc/gitlab-runner -v /var/run/docker.sock:/var/run/docker.sock gitlab/gitlab-runner:latest

Command to register the GitLab Runner:

docker run --rm -t -i -v /srv/gitlab-runner/config:/etc/gitlab-runner gitlab/gitlab-runner register --docker-privileged --non-interactive --executor “docker” --docker-image alpine:latest --url “https://gitlab.xyz.com” --registration-token “xyz” --description “docker-runner” --tag-list “docker-gitlab-runner” --run-untagged --locked=“false”

Now when I push .gitlab-ci.yml for my repository and pipeline fires, the pipeline process is unable to build a docker image and push it to the registry due to x509: certificate signed by unknown authority issue:

Skipping Git submodules setup
$ echo “{“auths”:{”$CI_REGISTRY":{“username”:"$CI_REGISTRY_USER",“password”:"CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
error checking push permissions – make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for “gitlab.xyz.com:4567/sample-group1/sample-sub-group1/sample-project:latest”: creating push check transport for gitlab.xyz.com:4567 failed: Get https://gitlab.xyz.com:4567/v2/: x509: certificate signed by unknown authority
ERROR: Job failed: exit code 1

Is anyone able to give me some hints on what I am doing wrong here? I would be very grateful as I want to progress onto evolving my pipelines and testing out the GitLab CI/CD functionality eventually on my Kubernetes stack, but Docker is fine for now.


So I updated my configuration to use LetsEncrypt instead, this worked without any issue as far as the GitLab UI / dashboard is concerned, it also worked fine for my gitlab-runner registration - but to my surprise there is a new issue when trying to git clone via the .gitlab-ci.yml:

Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/lab/builder/packer/.git/
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.xyz.com/
lab/builder/packer.git/': SSL certificate problem: unable to get local 
issuer certificate

I really didn’t expect this issue using the lets encrypt method so I am basically stuck with this POC now. Am I the only one who has had this issue? I have read about having to create the lets encrypt certs manually in order to include the full chain - if this is the case why doesn’t the documentation state that?

I would really appreciate it if anyone has got any tips or had this problem themselves and managed to fix the issue (even if its me who has missed something) so I can continue on with using CI/CD in GitLab.