Private instance with traefik and working tls

we are running local gitlab installation (available only on intranet using local dns record for pointing to local cerver, i.e. with one gitlab runner. We have put recently our installation behind traefik reverse proxy and we have started to have certificate problems. All things are running on single host (centos) in docker environment.

Current problem:
Build job is failing on docker login with certificate problem:

Error response from daemon: Get x509: certificate signed by unknown authority

We have briefly come here this way:

  1. Http only docker-compose installation of gitlab-ce and gitlab-runner. Working OK
    2 Added traefik into mix. Problems started (port 443 is now open. Till now there was nothing listening there). Traefik have started to respond, with its own, default, invalid, selfsigned, cert…
  2. We have added daemon.json with insecure repository to make docker login work. It have started to work.
  3. Docker push is now not working due certificate problem (it was perhaps next step after login)
  4. Added own certification authority and added certificate for Root ca has been added to host OS (centos) and also using volumes to docker containers (file /etc/gitlab-runner/certs/ Something else has broken. Still not able to complete build.
  5. Removed own certificate in favor of lets encrypt generated (generated on web of our local hosting provider, which is responsible for our public dns). Certificates are valid (i.e. firefox is accepting it and showing “connection secure”). This is “current” state.

When debugging what is wrong and why does builder have problems doing docker login, I have tried to run docker run -it docker:19.03.12 sh to simulate build environment. Than I have started to do debugging:

apk add curl
curl -vvv

It finishes with:

  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: curl - SSL CA Certificates

Because this tells me thre is problem with cert, I have also tried to obtain more info using:

apk add openssl
openssl s_client -showcerts -connect
This shows me many more info. For example:
Verification error: unable to verify the first certificate
Verify return code: 21 (unable to verify the first certificate)

Note, that we have on our host daemon.json file marking repository as insecure, thus it should ignore invalid certificate. This have fixed once docker login problem for us.

What is best way to have gitlab-ce and some gitlab-runner-s running in docker behind traefik? Is there any “maintenance free” way?

“solved” using registry external url with port 5050 (i.e. “registry_external_url ‘’”) and publishing port 5050 from docker container to host. Now accessing docker registry is possible using given url. Still there is something bad (perhaps certificates problem). Note, that key and cert files for given domain are provided to gitlab docker container using mounts.