SSL certificate problem: unable to get local issuer certificate (self-signed certs, and executor = "docker")
Hi, there is a self-signed ca certificate in my gitlab(11.1.2), run the runner(11.1.0) with docker,
docker run -d --name runnerdind \
--restart=always \
-v /etc/hosts:/etc/hosts \
-v /etc/gitlab-runner/certs/ca.crt:/etc/gitlab-runner/certs/ca.crt \
-v /etc/gitlab-runner/certs/gitlab.crt:/etc/gitlab-runner/certs/gitlab.crt \
-v /etc/gitlab-runner/certs/gitlab.key:/etc/gitlab-runner/certs/gitlab.key \
-v /srv/gitlab-runner/runner2/config:/etc/gitlab-runner \
-v /var/run/docker.sock:/var/run/docker.sock \
gitlab/gitlab-runner:latest
when I use shell executor, the CI pipeline is ok; but docker executor, the CI pipeline will failed, and the job report an error: SSL certificate problem: unable to get local issuer certificate.
Running with gitlab-runner 11.1.0 (081978aa)
on runnerdind 9fb667f2
Using Docker executor with image docker:stable ...
Pulling docker image docker:stable ...
Using docker image sha256:b22ef854da32fe8dafb2be7c6887b11d261f7b8567a6531f8d4a62502f998713 for docker:stable ...
Running on runner-9fb667f2-project-1-concurrent-0 via a6262385d1be...
Cloning repository...
Cloning into '/builds/root/cmop'...
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@x.x.x.x/root/cmop.git/': SSL certificate problem: unable to get local issuer certificate
ERROR: Job failed: exit code 1
I have tried a lot of register parameters, they have consistent results, here is the last config.toml:
concurrent = 1
check_interval = 0
[[runners]]
name = "runnerdind"
url = "https://gitlab.x.com/"
token = "9fb667f289d46217c306956a6a88a8"
tls-ca-file = "/etc/gitlab-runner/certs/ca.crt"
executor = "docker"
clone_url = "https://x.x.x.x"
[runners.docker]
tls_cert_path = "/etc/gitlab-runner/certs/gitlab.crt"
tls_verify = false
image = "docker:stable"
privileged = false
disable_cache = false
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/etc/gitlab-runner/certs/ca.crt:/etc/gitlab-runner/certs/ca.crt", "/etc/gitlab-runner/certs/gitlab.crt:/etc/gitlab-runner/certs/gitlab.crt", "/cache"]
shm_size = 0
[runners.cache]
This is my personal understanding: the registry runner container will not pull repository, instead of the container which called "runner-xxxxxxxx-project-x-concurrent-x" from image "gitlab/gitlab-runner-helper", but this container has no where to get the self-signed ca certificate, so the process report the error.
Is there anybody seen this problem, and have any idea?
PS: The runner server is on centos7.4, docker 17.03.2-ce.