SSL certificate problem: unable to get local issuer certificate (self-signed certs, and executor = "docker")
Hi, there is a self-signed ca certificate in my gitlab(11.1.2), run the runner(11.1.0) with docker,
docker run -d --name runnerdind \ --restart=always \ -v /etc/hosts:/etc/hosts \ -v /etc/gitlab-runner/certs/ca.crt:/etc/gitlab-runner/certs/ca.crt \ -v /etc/gitlab-runner/certs/gitlab.crt:/etc/gitlab-runner/certs/gitlab.crt \ -v /etc/gitlab-runner/certs/gitlab.key:/etc/gitlab-runner/certs/gitlab.key \ -v /srv/gitlab-runner/runner2/config:/etc/gitlab-runner \ -v /var/run/docker.sock:/var/run/docker.sock \ gitlab/gitlab-runner:latest
when I use shell executor， the CI pipeline is ok; but docker executor, the CI pipeline will failed, and the job report an error: SSL certificate problem: unable to get local issuer certificate.
Running with gitlab-runner 11.1.0 (081978aa) on runnerdind 9fb667f2 Using Docker executor with image docker:stable ... Pulling docker image docker:stable ... Using docker image sha256:b22ef854da32fe8dafb2be7c6887b11d261f7b8567a6531f8d4a62502f998713 for docker:stable ... Running on runner-9fb667f2-project-1-concurrent-0 via a6262385d1be... Cloning repository... Cloning into '/builds/root/cmop'... fatal: unable to access 'https://gitlab-ci-token:[email protected]/root/cmop.git/': SSL certificate problem: unable to get local issuer certificate ERROR: Job failed: exit code 1
concurrent = 1 check_interval = 0 [[runners]] name = "runnerdind" url = "https://gitlab.x.com/" token = "9fb667f289d46217c306956a6a88a8" tls-ca-file = "/etc/gitlab-runner/certs/ca.crt" executor = "docker" clone_url = "https://x.x.x.x" [runners.docker] tls_cert_path = "/etc/gitlab-runner/certs/gitlab.crt" tls_verify = false image = "docker:stable" privileged = false disable_cache = false volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/etc/gitlab-runner/certs/ca.crt:/etc/gitlab-runner/certs/ca.crt", "/etc/gitlab-runner/certs/gitlab.crt:/etc/gitlab-runner/certs/gitlab.crt", "/cache"] shm_size = 0 [runners.cache]
This is my personal understanding: the registry runner container will not pull repository, instead of the container which called "runner-xxxxxxxx-project-x-concurrent-x" from image "gitlab/gitlab-runner-helper", but this container has no where to get the self-signed ca certificate, so the process report the error.
Is there anybody seen this problem, and have any idea?
PS: The runner server is on centos7.4, docker 17.03.2-ce.