GitLab.com with self-hosted runner: Get https://registry.gitlab.com/v2/: x509: certificate signed by unknown authority

I’m using GitLab.com and a self-hosted runner.
I’m executing this stage:
deploy:
stage: deploy
image: docker/compose:alpine-1.27.4
services:
- docker:stable-dind
cache: {}
script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

And it fails with the error:
time="2020-11-25T16:09:25Z" level=info msg="Error logging in to v2 endpoint, trying next endpoint: Get https://registry.gitlab.com/v2/: x509: certificate signed by unknown authority" Get https://registry.gitlab.com/v2/: x509: certificate signed by unknown authority

When i change the image of the stage to docker:stable then everything works as expected.

The error does not occur when using the shared runners.
My runner version: 13.4.1

1 Like

I’m disabled tls to pass the issue.

This is my full yaml

stages:
  - deploy

deploy1:
  stage: deploy
  tags:
    - dind
  # image: docker:stable
  image: docker/compose:alpine-1.27.4
  services:
    - docker:stable-dind
    
  variables:
    DOCKER_HOST: tcp://docker:2375
    DOCKER_TLS_CERTDIR: ""
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

Here has doc about tls-disabled

BTW, I found the stage is “deploy”, so the way “Docker in Docker” may not work for deploy, because it’s not the host’s docker.

If you want to access the host’s docker, need use “Docker Socket Bingin” way, see the link Building Docker images with GitLab CI/CD | GitLab

Or, maybe you can use ssh to avoid docker in docker

Ex: ssh root@[DEPLOY_HOST_IP] docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

hit: you need other work to do ssh (ex: private key…)

Thanks for the reply.
Disabling TLS helped. It works when disabled.

What if I want to enable it? I followed the instructions to enable it but then the same error occurs.

Does anyone have a hint? Do I have to copy some public certificates from GitLab.com onto my runner machine?

@allyusd Btw. the deployment with docker in docker and docker-compose using --remote flag works perfectly.

Oh, I don’t use docker-compose with --remote flag, thank you for your reply.

I don’t know what happened on the self-hosted runner and shared runner different results.

But if want to enable tls, try this:

stages:
  - deploy

deploy1:
  stage: deploy
  tags:
    - dind
  image: docker/compose:alpine-1.27.4
  services: 
    - docker:stable-dind
    
  variables:
    DOCKER_TLS_VERIFY: 1
    DOCKER_CERT_PATH: "/certs/client"
    DOCKER_HOST: "tcp://docker:2376"
    DOCKER_TLS_CERTDIR: "/certs"
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

Hello @allyusd and @saibotma!

Sorry for bringing this up but I have been really struggling for several days and I do not manage to make my gitlab runner run ok.

I use also gitlab.com and I was running a gitlab-runner within Linux which was running ok. However, if I try to run a gitlab-runner in Windows or using Docker I get the certificate signed by unknown authority error.

If I disable TLS or try to enable it, then I get the error “ERROR: no active session for wgfyt0zw36gtzg34vltmjni8d: context deadline exceeded”

Did you solve this at the end @saibotma?

Any help or hint would be extremelly appreciated.

Thank you in advance and kind regards.

In my case, it seems the docker/compose image doesn’t contain ANY root certs and docker login fails (login uses certs from the docker CLIENT, not where the docker daemon is running). This seems to be the issue even with latest (as of now) docker/compose image. Since the image is based on alpine, running apk add ca-certificates installs the missing certs and docker login works again. You should be able to add this step to your CI jobs easily, or roll your own docker/compose-based image for your jobs.

Make sure to add your gitlab registry certificate in the host you are running the docker command. You can refer to this article