Skip to content

SSL certificate problem: unable to get local issuer certificate (self-signed certs, and executor = "docker")

Hi, there is a self-signed ca certificate in my gitlab(11.1.2), run the runner(11.1.0) with docker,

docker run -d --name runnerdind \
--restart=always \
-v /etc/hosts:/etc/hosts \
-v /etc/gitlab-runner/certs/ca.crt:/etc/gitlab-runner/certs/ca.crt \
-v /etc/gitlab-runner/certs/gitlab.crt:/etc/gitlab-runner/certs/gitlab.crt \
-v /etc/gitlab-runner/certs/gitlab.key:/etc/gitlab-runner/certs/gitlab.key \
-v /srv/gitlab-runner/runner2/config:/etc/gitlab-runner \
-v /var/run/docker.sock:/var/run/docker.sock \
gitlab/gitlab-runner:latest

when I use shell executor, the CI pipeline is ok; but docker executor, the CI pipeline will failed, and the job report an error: SSL certificate problem: unable to get local issuer certificate.

Running with gitlab-runner 11.1.0 (081978aa)
  on runnerdind 9fb667f2
Using Docker executor with image docker:stable ...
Pulling docker image docker:stable ...
Using docker image sha256:b22ef854da32fe8dafb2be7c6887b11d261f7b8567a6531f8d4a62502f998713 for docker:stable ...
Running on runner-9fb667f2-project-1-concurrent-0 via a6262385d1be...
Cloning repository...
Cloning into '/builds/root/cmop'...
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@x.x.x.x/root/cmop.git/': SSL certificate problem: unable to get local issuer certificate
ERROR: Job failed: exit code 1

2018-08-03_092818 I have tried a lot of register parameters, they have consistent results, here is the last config.toml:

concurrent = 1
check_interval = 0

[[runners]]
  name = "runnerdind"
  url = "https://gitlab.x.com/"
  token = "9fb667f289d46217c306956a6a88a8"
  tls-ca-file = "/etc/gitlab-runner/certs/ca.crt"
  executor = "docker"
  clone_url = "https://x.x.x.x"
  [runners.docker]
    tls_cert_path = "/etc/gitlab-runner/certs/gitlab.crt"
    tls_verify = false
    image = "docker:stable"
    privileged = false
    disable_cache = false
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/etc/gitlab-runner/certs/ca.crt:/etc/gitlab-runner/certs/ca.crt", "/etc/gitlab-runner/certs/gitlab.crt:/etc/gitlab-runner/certs/gitlab.crt", "/cache"]
    shm_size = 0
  [runners.cache]

This is my personal understanding: the registry runner container will not pull repository, instead of the container which called "runner-xxxxxxxx-project-x-concurrent-x" from image "gitlab/gitlab-runner-helper", but this container has no where to get the self-signed ca certificate, so the process report the error.

Is there anybody seen this problem, and have any idea?

PS: The runner server is on centos7.4, docker 17.03.2-ce.