On-prem setup with wildcard ssl certs: Gitlab Runner -> "x509: certificate signed by unknown authority"

Hi all,

i’m struggling to find a solution to my problem. Vanilla Auto Devops pipeline fails with error:

Logging to GitLab Container Registry with CI credentials...
 WARNING! Using --password via the CLI is insecure. Use --password-stdin.
 Error response from daemon: Get https://registry.gitlab.[my-homelab-domain]/v2/: x509: certificate signed by unknown authority

Current homelab setup is:

  • Gitlab Omnibus 12.9.3 (latest) on a VM (proxmox), running as a Docker container
  • Gitlab Runner 12.9.0 (latest) on another VM (proxmox), running as a Docker container
  • Self-signed wildcard certificate with altNames
  • All routes correctly setup, no firewalls

SSL certificate
I’ve generated a self-signed cert with a wildcard domain *.gitlab.[my-homelab-domain] and altNames

  • gitlab.[my-home-domain]
  • registry.gitlab.[my-home-domain]
  • *.gitlab.[my-home-domain] (this last one might not be necessary).

[my-homelab-domain] is the FQDN for my homelab net, set by dhcp server on all hosts, even the virtualized ones.

Gitlab setup

Gitlab is using the summentioned certificate and relative private key, copied to

  • /etc/gitlab/ssl/gitlab.[my-homelab-domain].crt and /etc/gitlab/ssl/gitlab.[my-homelab-domain].key
  • /etc/gitlab/ssl/registry.gitlab.[my-homelab-domain].crt and /etc/gitlab/ssl/registry.gitlab.[my-homelab-domain].key

Here is relevant part of gitlab.rb, configured as per manually configuring https and Container registry domain configuration

external_url 'https://gitlab.[my-homelab-domain]'
..
nginx['redirect_http_to_https'] = true
..
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.[my-homelab-domain].crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.[my-homelab-domain].key"
..
registry_external_url 'https://registry.gitlab.[my-homelab-domain]'
..
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/registry.gitlab.[my-homelab-domain].crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/registry.gitlab.[my-homelab-domain].key"
..

Runner setup
Gitlab is using the summentioned certificate, copied to:

I’ve tried some permutations on this setup, trying to keep coherence between certificate CN and gitlab.rb, but with no luck.
I’ve also tried to sign the certificated with a root CA (self-signed) and…nope.

Can someone explain where am i wrong, and hopefully point me to a fresh new start?

Thank you!