X509: certificate signed by unknown authority

roland · August 8, 2022, 8:28pm

Hi,
I’m setting up two runners, one on macOS, one on windows. No problems with the Mac.
My pipeline looks something like this

       Stage version                   Stage Build
----version (runs on Mac) ------|-------build Mac 
                                |-------build windows

So the Windows job tries to download the artefacts created on Mac in the version stage

I installed gitlab-runner on windows and registered it, which works and I can also run basic commands.

However when trying to downloading the artefacts I get this error message

ERROR: Downloading artifacts from coordinator... error couldn't execute GET against https://gitlab.com/api/v4/jobs/2828302849/artifacts?direct_download=true: Get "https://storage.googleapis.com/gitlab-gprd-k3stlwu%0A9qrgyVI2pk(blablablablabla)xafRP2Zg%3D%3D&Expires=1659973175": x509: certificate signed by unknown authority id=2828302849 token=Ltqp41Y4

I then found this article:

and followed the steps in Read a PEM Certificate on my Mac and transferred the certificate to C:\GitLab-Runners\certs. I also pointed the runner to the certificate using
tls-ca-file = "C:\\GitLab-Runner\\certs\\gitlab.com.crt"
in the config.toml file.

The article says to use openssl s_client -showcerts -connect gitlab.example.com:443 -servername gitlab.example.com < /dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/gitlab-runner/certs/gitlab.example.com.crt

I used gitlab.com instead of gitlab.example.com, which domain is actually the correct one?
I’m using the standard online gitlab and not a self-hosted gitlab server.

Any ideas on how to fix this?
Thanks a lot!

manishrhcss · September 16, 2022, 10:14pm

Hello roland,

I am experiencing the similar issue.

did you get any resolution?

Thanks.

roland · September 16, 2022, 11:48pm

Yes, I found a solution just a couple of days ago!
I registered my runner with .\gitlab-runner.exe register --tls-ca-file=C:\GitLab-Runner\certs\gitlab.com.crt

then got the gitlab certificates:
.\openssl.exe s_client -showcerts -connect gitlab.com:443 -servername gitlab.com

and the got the certificates for the google filehosting server
.\openssl.exe s_client -showcerts -connect storage.googleapis.com:443

i then combined the two certificates into one file and removed everything except

-----BEGIN CERTIFICATE-----
MIIEljCCA36gAwIBAgIQO4uPjD
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...

there should be 5 certificates in the file, which i then saved to C:\GitLab-Runner\certs\gitlab.com.crt

Hope this helps!

Topic		Replies	Views
How to setup --tls-ca-file certificate in Windows GitLab CI/CD ci , runner , windows	0	1655	July 6, 2022
Server in Gitlab.com: tls: failed to verify certificate: x509: certificate signed by unknown authority GitLab CI/CD ci , runner , docker	1	7341	August 30, 2023
Gitlab-runner registration fails: x509: certificate signed by unknown authority Infrastructure as Code & Cloud Native runner	0	2066	January 17, 2020
Gitlab Runner SSL certificate GitLab CI/CD	2	5213	August 23, 2018
Local runner on Mac How to Use GitLab	1	395	February 19, 2019

X509: certificate signed by unknown authority

Related topics