github.com/alloyci/alloy-runner@v1.0.1-0.20180222164613-925503ccafd6/docs/configuration/tls-self-signed.md (about) 1 # The self-signed certificates or custom Certification Authorities 2 3 AlloyCI Runner allows you to configure certificates that 4 are used to verify TLS peer when connecting to the AlloyCI server. 5 6 **This allows to solve the `x509: certificate signed by unknown authority` problem when registering runner.** 7 8 ## Supported options for self-signed certificates 9 10 AlloyCI Runner provides these options: 11 12 1. **Default**: AlloyCI Runner reads system certificate store and verifies the AlloyCI server against the CA's stored in system. 13 14 2. AlloyCI Runner reads the PEM (**DER format is not supported**) certificate from predefined file: 15 16 - `/etc/alloy-runner/certs/hostname.crt` on *nix systems when alloy-runner is executed as root. 17 - `~/.alloy-runner/certs/hostname.crt` on *nix systems when alloy-runner is executed as non-root, 18 - `./certs/hostname.crt` on other systems. 19 20 If the address of your server is: `https://my.alloy.server.com:8443/`. 21 Create the certificate file at: `/etc/alloy-runner/certs/my.alloy.server.com.crt`. 22 23 > **Note:** You may need to concatenate the intermediate and server certificate 24 for the chain to be properly identified. 25 3. AlloyCI Runner exposes `tls-ca-file` option during registration and in [`config.toml`](advanced-configuration.md) 26 which allows you to specify custom file with certificates. This file will be read every time when runner tries to 27 access the AlloyCI server. 28 29 ## Git cloning 30 31 The runner injects missing certificates to build CA chain to build containers. 32 This allows the `git clone` and `artifacts` to work with servers that do not use publicly trusted certificates. 33 34 This approach is secure, but makes the runner a single point of trust.