TLS chain verification fails when both RSA and ECC are used.
When a specific type of certificate is returned by GitLab, the Runner is not able to verify it as described in #4805 (comment 236552169). The certificate has both an RSA and an ECC (Elliptic Curve) certificate. When I run the gitlab-runner with the debug flag I see that the ECC variant is used as input for the runner. Perhaps the container tries to connect with RSA? And then get's a certificate that it does not understand (because it only got the ECC version?)
The full details on the debugging with the customer can be found in #4805 (comment 236552169)
In 12.4 we released a new way on how we create the CA chain for it to be used by Git, and faced some regressions with this in #4805 (closed) which is fixed in 12.4.1 with !1643 (merged) and users confirmed that this was fixed.