X509: certificate signed by unknown authority

Hi,
I’m setting up two runners, one on macOS, one on windows. No problems with the Mac.
My pipeline looks something like this

       Stage version                   Stage Build
----version (runs on Mac) ------|-------build Mac 
                                |-------build windows

So the Windows job tries to download the artefacts created on Mac in the version stage

I installed gitlab-runner on windows and registered it, which works and I can also run basic commands.

However when trying to downloading the artefacts I get this error message

ERROR: Downloading artifacts from coordinator... error couldn't execute GET against https://gitlab.com/api/v4/jobs/2828302849/artifacts?direct_download=true: Get "https://storage.googleapis.com/gitlab-gprd-k3stlwu%0A9qrgyVI2pk(blablablablabla)xafRP2Zg%3D%3D&Expires=1659973175": x509: certificate signed by unknown authority id=2828302849 token=Ltqp41Y4

I then found this article:

and followed the steps in Read a PEM Certificate on my Mac and transferred the certificate to C:\GitLab-Runners\certs. I also pointed the runner to the certificate using
tls-ca-file = "C:\\GitLab-Runner\\certs\\gitlab.com.crt"
in the config.toml file.

The article says to use openssl s_client -showcerts -connect gitlab.example.com:443 -servername gitlab.example.com < /dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/gitlab-runner/certs/gitlab.example.com.crt

I used gitlab.com instead of gitlab.example.com, which domain is actually the correct one?
I’m using the standard online gitlab and not a self-hosted gitlab server.

Any ideas on how to fix this?
Thanks a lot!

Hello roland,

I am experiencing the similar issue.

did you get any resolution?

Thanks.

Yes, I found a solution just a couple of days ago!
I registered my runner with .\gitlab-runner.exe register --tls-ca-file=C:\GitLab-Runner\certs\gitlab.com.crt

then got the gitlab certificates:
.\openssl.exe s_client -showcerts -connect gitlab.com:443 -servername gitlab.com

and the got the certificates for the google filehosting server
.\openssl.exe s_client -showcerts -connect storage.googleapis.com:443

i then combined the two certificates into one file and removed everything except

-----BEGIN CERTIFICATE-----
MIIEljCCA36gAwIBAgIQO4uPjD
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...

there should be 5 certificates in the file, which i then saved to C:\GitLab-Runner\certs\gitlab.com.crt

Hope this helps!