On-prem setup with wildcard ssl certs: Gitlab Runner -> "x509: certificate signed by unknown authority"

Hi all,

i’m struggling to find a solution to my problem. Vanilla Auto Devops pipeline fails with error:

Logging to GitLab Container Registry with CI credentials...
 WARNING! Using --password via the CLI is insecure. Use --password-stdin.
 Error response from daemon: Get https://registry.gitlab.[my-homelab-domain]/v2/: x509: certificate signed by unknown authority

Current homelab setup is:

  • Gitlab Omnibus 12.9.3 (latest) on a VM (proxmox), running as a Docker container
  • Gitlab Runner 12.9.0 (latest) on another VM (proxmox), running as a Docker container
  • Self-signed wildcard certificate with altNames
  • All routes correctly setup, no firewalls

SSL certificate
I’ve generated a self-signed cert with a wildcard domain *.gitlab.[my-homelab-domain] and altNames

  • gitlab.[my-home-domain]
  • registry.gitlab.[my-home-domain]
  • *.gitlab.[my-home-domain] (this last one might not be necessary).

[my-homelab-domain] is the FQDN for my homelab net, set by dhcp server on all hosts, even the virtualized ones.

Gitlab setup

Gitlab is using the summentioned certificate and relative private key, copied to

  • /etc/gitlab/ssl/gitlab.[my-homelab-domain].crt and /etc/gitlab/ssl/gitlab.[my-homelab-domain].key
  • /etc/gitlab/ssl/registry.gitlab.[my-homelab-domain].crt and /etc/gitlab/ssl/registry.gitlab.[my-homelab-domain].key

Here is relevant part of gitlab.rb, configured as per manually configuring https and Container registry domain configuration

external_url 'https://gitlab.[my-homelab-domain]'
..
nginx['redirect_http_to_https'] = true
..
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.[my-homelab-domain].crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.[my-homelab-domain].key"
..
registry_external_url 'https://registry.gitlab.[my-homelab-domain]'
..
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/registry.gitlab.[my-homelab-domain].crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/registry.gitlab.[my-homelab-domain].key"
..

Runner setup
Gitlab is using the summentioned certificate, copied to:

I’ve tried some permutations on this setup, trying to keep coherence between certificate CN and gitlab.rb, but with no luck.
I’ve also tried to sign the certificated with a root CA (self-signed) and…nope.

Can someone explain where am i wrong, and hopefully point me to a fresh new start?

Thank you!

Hi paoloyx,

i had quite a similar issue. I provided a docker registry on my gitlab omnibus installation and used a global trusted certificate. Using the private and public key pair was not succesful and provided me the same notification with the “certificate signed by unknown authority”.
But only linux clients had this problem. Windows clients were able to use the registry without any inconviniences. Even when I hit the URL (gitlab.mydomain.tld:5050) in the browser on a windows client, everything was fine.

But nevertheless, I used the whole keychain as the public certificate and now it runs.

Maybe you don’t have a real wildcard certificate. Just a normal certificate which trusts the hostname ‘*’ in it.

Cheers
shevy-de

1 Like

I would be interested to hear if @shevy-de 's post was helpful to your issue @paoloyx! Let us know!

1 Like