Gitlab-runner registration fails: x509: certificate signed by unknown authority

Hi everybody,

I am running a gitlab-runner (gitlab/gitlab-runner version 12.4.0, ran as docker container). When i run the container with:

docker run -d --name shared-docker-runner --restart unless-stopped -v ~/shared-docker-runner/config:/etc/gitlab-runner -v /var/run/docker.sock:/var/run/docker.sock gitlab/gitlab-runner:latest

The local dir ~/shared-docker-runner/config/certs has a ca-certificate. I can check the ca-file compatibility with the server certificate via:

openssl s_client -CAfile ~/shared-docker-runner/config/my-gitlab-server.crt -connect my-gitlab-server:443

which returns Verify return code: 0 (ok)

The running container will have a ca-certificate available in /etc/gitlab-runner/certs

I can docker exec into the running container and execute:

openssl s_client -CAfile /etc/gitlab-runner/certs/my-gitlab-server.crt -connect my-gitlab-server:443

and it will return Verify return code: 0 (ok)

But if i run:

openssl s_client -CApath /etc/gitlab-runner/certs -connect my-gitlab-server:443

the verification fails:

Verify return code: 21 (unable to verify the first certificate)

And so do all my attempts to register my shared-docker-runner.

PANIC: Failed to register this runner. Perhaps you are having network problems

I have tried the following config.toml, but it looks like editing the toml is without any effect:

concurrent = 1
check_interval = 0

  session_timeout = 1800

  name = "shared-docker-runner"
  url = "https://my-gitlab-server:443"
  token = "D&C67342878cdgdc"
  executor = "docker"
  tls-ca-file = "/etc/gitlab-runner/certs/my-gitlab-server.crt"
    tls_verify = false
    image = "docker:19.03.0"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache", "/certs"]
    shm_size = 0

What am i missing?