github.com/secure-build/gitlab-runner@v12.5.0+incompatible/docs/configuration/tls-self-signed.md (about)

     1  # The self-signed certificates or custom Certification Authorities
     2  
     3  Since version 0.7.0 the GitLab Runner allows you to configure certificates that
     4  are used to verify TLS peer when connecting to the GitLab server.
     5  
     6  **This allows to solve the `x509: certificate signed by unknown authority` problem when registering runner.**
     7  
     8  ## Supported options for self-signed certificates
     9  
    10  GitLab Runner provides these options:
    11  
    12  1. **Default**: GitLab Runner reads system certificate store and verifies the GitLab server against the CA's stored in system.
    13  
    14  1. GitLab Runner reads the PEM (**DER format is not supported**) certificate from predefined file:
    15  
    16     - `/etc/gitlab-runner/certs/hostname.crt` on *nix systems when GitLab Runner is executed as root.
    17     - `~/.gitlab-runner/certs/hostname.crt` on *nix systems when GitLab Runner is executed as non-root.
    18     - `./certs/hostname.crt` on other systems.
    19  
    20     If the address of your server is: `https://my.gitlab.server.com:8443/`.
    21     Create the certificate file at: `/etc/gitlab-runner/certs/my.gitlab.server.com.crt`.
    22  
    23     > **Note:** You may need to concatenate the intermediate and server certificate
    24     > for the chain to be properly identified.
    25     >
    26     > **Note:** Running GitLab Runner as a service on Windows does not recognize certificates in `./certs/hostname.crt`.
    27     > Use Option 3 instead.
    28  
    29  1. GitLab Runner exposes `tls-ca-file` option during
    30     [registration](../commands/README.md#gitlab-runner-register)
    31     (`gitlab-runner register --tls-ca-file=/path`) and in
    32     [`config.toml`](advanced-configuration.md) under the `[[runners]]` section.
    33     This allows you to specify a custom file with certificates.
    34     This file will be read every time when the runner tries to access the GitLab server.
    35  
    36  ## Git cloning
    37  
    38  The runner injects missing certificates to build CA chain to build containers.
    39  This allows the `git clone` and `artifacts` to work with servers that do not use publicly trusted certificates.
    40  
    41  This approach is secure, but makes the runner a single point of trust.