12.4.0: All jobs fail with SSL certificate problem: self signed certificate in certificate chain

Summary

In the morning, after we have an upgrade of gitalb-runner from 12.3 to 12.4.0, now all our jobs failed at git fetch with error message

fatal: unable to access 'https://gitlab-ci-token:[MASKED]@192.168.3.137/iHandle/general/building_hebei_app.git/': SSL certificate problem: self signed certificate in certificate chain

this looks like the same issue of #4805 (closed) , as we are using a self-signed certificate, the error message is different.

Our self-signed certificate was stored in a crt file and specified in the config.toml file. GitLab-runner worked well up to 12.3 without SSL problem.

Steps to reproduce

GitLab-runner is installed on Centos 7. The job

job failure log

Running with gitlab-runner 12.4.0 (1564076b)
  on simulator_60 66a9939b
Using Docker executor with image 192.168.3.133:444/gradle_basic:3.0 ...
WARNING: Container based cache volumes creation is disabled. Will not create volume for "/cache"
Authenticating with credentials from $DOCKER_AUTH_CONFIG
Pulling docker image 192.168.3.133:444/gradle_basic:3.0 ...
Using docker image sha256:5a712225ab3c445d3fd8bb788749872327591b5200e377ba7750869e57f25816 for 192.168.3.133:444/gradle_basic:3.0 ...
Running on runner-66a9939b-project-1002-concurrent-0 via SH-DO...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/iHandle/general/building_hebei_app/.git/
Created fresh repository.
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@192.168.3.137/iHandle/general/building_hebei_app.git/': SSL certificate problem: self signed certificate in certificate chain
ERROR: Job failed: exit code 1

Relevant logs and/or screenshots

job running under gitalb-runner 12.3

Running with gitlab-runner 12.3.0 (a8a019e0)
  on runner_17 7f901dd6
Using Docker executor with image 192.168.3.133:444/gradle_basic:3.0 ...
WARNING: Container based cache volumes creation is disabled. Will not create volume for "/cache"
Authenticating with credentials from $DOCKER_AUTH_CONFIG
Pulling docker image 192.168.3.133:444/gradle_basic:3.0 ...
Using docker image sha256:5a712225ab3c445d3fd8bb788749872327591b5200e377ba7750869e57f25816 for 192.168.3.133:444/gradle_basic:3.0 ...
Running on runner-7f901dd6-project-1002-concurrent-0 via master...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/iHandle/general/building_hebei_app/.git/
Created fresh repository.
From https://192.168.3.137/iHandle/general/building_hebei_app
 * [new branch]      develop    -> origin/develop
Checking out 6f281e74 as develop...

Environment description

config.toml contents

concurrent = 1
check_interval = 0

[session_server]
  session_timeout = 7200

[[runners]]
  name = "simulator_60"
  output_limit = 409600
  url = "https://192.168.3.137/"
  token = "66a9939b81af8869f2247cb30a394c"
  tls-ca-file = "/etc/gitlab-runner/config/nsb-root.crt"
  executor = "docker"
  clone_url = "https://192.168.3.137/"
  [runners.custom_build_dir]
  [runners.docker]
    tls_verify = false
    image = "ubuntu"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = true
    volumes = ["/dev/kvm:/dev/kvm", "/cache"]
    shm_size = 0
  [runners.cache]
    [runners.cache.s3]
      ServerAddress = "192.168.3.133:9005"
      AccessKey = "XXXXXXXXXXXXXXXXXXXX"
      SecretKey = "XXXXXXXXXXXXXXXXXXXXXXXXX"
      BucketName = "runner"
      Insecure = true
    [runners.cache.gcs]

[[runners]]
  name = "socket_60"
  output_limit = 409600
  url = "https://192.168.3.137/"
  token = "9cb2dc9e0f169025a31cc54ad480e7"
  tls-ca-file = "/etc/gitlab-runner/config/nsb-root.crt"
  executor = "docker"
  clone_url = "https://192.168.3.137/"
  [runners.custom_build_dir]
  [runners.docker]
    tls_verify = false
    image = "ubuntu"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = true
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
    shm_size = 0
  [runners.cache]
    [runners.cache.s3]
      ServerAddress = "192.168.3.133:9005"
      AccessKey = "XXXXXXXXXXXXXXXXXXXX"
      SecretKey = "XXXXXXXXXXXXXXXXXXXXXXXXX"
      BucketName = "runner"
      Insecure = true
    [runners.cache.gcs]

the self-signed certificate