X509: certificate signed by unknown authority but Certificate is valid

Hi, I have a self hosted gitlab with a valid wildcard vertificate. The Chrome accepts it, so I guess it is valid. When I try to run gitlab-runner verify I get the error x509: certificate signed by unknown authority. Could this be a firewall issue or something else?

Hi @konsultaner

What is the issuer of the GitLab server certificate? If it isn’t some publicly trusted CA you need to tell GitLab Runner to trust it by using tls-ca-file in config.toml

Hi @balonik
I ended up adding the certificate as described in the docs. But the issuer is: Starfield Secure Certificate Authority - G2, So it should work.

I found an issue where another guy has the same issue using Starfield Secure CA Gitlab-runner fails with SSL certificate problem: unable to get issuer certificate (#6586) · Issues · GitLab.org / gitlab-runner · GitLab. Maybe there is some specific issue with that CA.

1 Like

It seems like a lot of linux distros do not allow this ca. I tried the alpine node and the regular node docker image and I had issues there.

That’s really strange, because I found that CA in Ubuntu default CA certificates package as well as in CentOS and Alpine CA certificates package.

Make sure you have the whole CA chain in yout crt file that you use in your GitLab config, not just the one wildcard certificate.

You can also test if OpenSSL verifies your certificate using openssl s_client -connect 127.0.0.1:443 if your GitLab listens on localhost as well.

I have seen this occur when the SSL certificate file configured for the gitlab instance web server is only the certificate for the server and not not the complete certificate chain (root CA plus any intermediates). Adding the complete certificate chain to the .crt file configured for the web server (/etc/gitlab/ssl/your.domain.name.crt by default) may rectify this.

Your browser is happy to work it’s way back to a root of trust already existing in the trust store but command line tools seem to require that you provide the whole chain.

See more information at: https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce