GitLab.com with self-hosted runner: Get https://registry.gitlab.com/v2/: x509: certificate signed by unknown authority

saibotma · November 25, 2020, 4:44pm

I’m using GitLab.com and a self-hosted runner.
I’m executing this stage:
deploy:
stage: deploy
image: docker/compose:alpine-1.27.4
services:
- docker:stable-dind
cache: {}
script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

And it fails with the error:
time="2020-11-25T16:09:25Z" level=info msg="Error logging in to v2 endpoint, trying next endpoint: Get https://registry.gitlab.com/v2/: x509: certificate signed by unknown authority" Get https://registry.gitlab.com/v2/: x509: certificate signed by unknown authority

When i change the image of the stage to docker:stable then everything works as expected.

The error does not occur when using the shared runners.
My runner version: 13.4.1

allyusd · November 26, 2020, 8:29am

I’m disabled tls to pass the issue.

This is my full yaml

stages:
  - deploy

deploy1:
  stage: deploy
  tags:
    - dind
  # image: docker:stable
  image: docker/compose:alpine-1.27.4
  services:
    - docker:stable-dind
    
  variables:
    DOCKER_HOST: tcp://docker:2375
    DOCKER_TLS_CERTDIR: ""
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

Here has doc about tls-disabled

BTW, I found the stage is “deploy”, so the way “Docker in Docker” may not work for deploy, because it’s not the host’s docker.

If you want to access the host’s docker, need use “Docker Socket Bingin” way, see the link Building Docker images with GitLab CI/CD | GitLab

Or, maybe you can use ssh to avoid docker in docker

Ex: ssh root@[DEPLOY_HOST_IP] docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

hit: you need other work to do ssh (ex: private key…)

saibotma · November 26, 2020, 2:17pm

Thanks for the reply.
Disabling TLS helped. It works when disabled.

What if I want to enable it? I followed the instructions to enable it but then the same error occurs.

Does anyone have a hint? Do I have to copy some public certificates from GitLab.com onto my runner machine?

@allyusd Btw. the deployment with docker in docker and docker-compose using --remote flag works perfectly.

allyusd · November 26, 2020, 2:58pm

Oh, I don’t use docker-compose with --remote flag, thank you for your reply.

I don’t know what happened on the self-hosted runner and shared runner different results.

But if want to enable tls, try this:

stages:
  - deploy

deploy1:
  stage: deploy
  tags:
    - dind
  image: docker/compose:alpine-1.27.4
  services: 
    - docker:stable-dind
    
  variables:
    DOCKER_TLS_VERIFY: 1
    DOCKER_CERT_PATH: "/certs/client"
    DOCKER_HOST: "tcp://docker:2376"
    DOCKER_TLS_CERTDIR: "/certs"
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

dejavits · March 23, 2021, 6:58pm

Hello @allyusd and @saibotma!

Sorry for bringing this up but I have been really struggling for several days and I do not manage to make my gitlab runner run ok.

I use also gitlab.com and I was running a gitlab-runner within Linux which was running ok. However, if I try to run a gitlab-runner in Windows or using Docker I get the certificate signed by unknown authority error.

If I disable TLS or try to enable it, then I get the error “ERROR: no active session for wgfyt0zw36gtzg34vltmjni8d: context deadline exceeded”

Did you solve this at the end @saibotma?

Any help or hint would be extremelly appreciated.

Thank you in advance and kind regards.