X509: certificate signed by unknown authority but Certificate is valid

Hi, I have a self hosted gitlab with a valid wildcard vertificate. The Chrome accepts it, so I guess it is valid. When I try to run gitlab-runner verify I get the error x509: certificate signed by unknown authority. Could this be a firewall issue or something else?

Hi @konsultaner

What is the issuer of the GitLab server certificate? If it isn’t some publicly trusted CA you need to tell GitLab Runner to trust it by using tls-ca-file in config.toml

Hi @balonik
I ended up adding the certificate as described in the docs. But the issuer is: Starfield Secure Certificate Authority - G2, So it should work.

I found an issue where another guy has the same issue using Starfield Secure CA Gitlab-runner fails with SSL certificate problem: unable to get issuer certificate (#6586) · Issues · GitLab.org / gitlab-runner · GitLab. Maybe there is some specific issue with that CA.

1 Like

It seems like a lot of linux distros do not allow this ca. I tried the alpine node and the regular node docker image and I had issues there.

That’s really strange, because I found that CA in Ubuntu default CA certificates package as well as in CentOS and Alpine CA certificates package.

Make sure you have the whole CA chain in yout crt file that you use in your GitLab config, not just the one wildcard certificate.

You can also test if OpenSSL verifies your certificate using openssl s_client -connect 127.0.0.1:443 if your GitLab listens on localhost as well.