we are running local gitlab installation (available only on intranet using local dns record for gitlab.qpp.sk pointing to local cerver, i.e. 192.168.88.8) with one gitlab runner. We have put recently our installation behind traefik reverse proxy and we have started to have certificate problems. All things are running on single host (centos) in docker environment.
Build job is failing on docker login with certificate problem:
Error response from daemon: Get https://gitlab.qpp.sk/v2/: x509: certificate signed by unknown authority
We have briefly come here this way:
- Http only docker-compose installation of gitlab-ce and gitlab-runner. Working OK
2 Added traefik into mix. Problems started (port 443 is now open. Till now there was nothing listening there). Traefik have started to respond, with its own, default, invalid, selfsigned, cert…
- We have added daemon.json with insecure repository to make docker login work. It have started to work.
- Docker push is now not working due certificate problem (it was perhaps next step after login)
- Added own certification authority and added certificate for gitlab.qpp.sk. Root ca has been added to host OS (centos) and also using volumes to docker containers (file
/etc/gitlab-runner/certs/gitlab.qpp.sk.crt). Something else has broken. Still not able to complete build.
- Removed own certificate in favor of lets encrypt generated (generated on web of our local hosting provider, which is responsible for our public dns). Certificates are valid (i.e. firefox is accepting it and showing “connection secure”). This is “current” state.
When debugging what is wrong and why does builder have problems doing docker login, I have tried to run
docker run -it docker:19.03.12 sh to simulate build environment. Than I have started to do debugging:
apk add curl
curl -vvv https://gitlab.qpp.sk
It finishes with:
- SSL certificate problem: unable to get local issuer certificate
- Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates
Because this tells me thre is problem with cert, I have also tried to obtain more info using:
apk add openssl
openssl s_client -showcerts -connect gitlab.qpp.sk:443
This shows me many more info. For example:
Verification error: unable to verify the first certificate
Verify return code: 21 (unable to verify the first certificate)
Note, that we have on our host daemon.json file marking gitlab.qpp.sk repository as insecure, thus it should ignore invalid certificate. This have fixed once docker login problem for us.
What is best way to have gitlab-ce and some gitlab-runner-s running in docker behind traefik? Is there any “maintenance free” way?