github.com/ssube/gitlab-ci-multi-runner@v1.2.1-0.20160607142738-b8d1285632e6/docs/configuration/tls-self-signed.md (about)

     1  ## The self-signed certificates or custom Certification Authorities
     2  
     3  Since version 0.7.0 the GitLab Runner have allows to configure certificates that are used to verify TLS peer when connecting GitLab server.
     4  
     5  **This allows to solve the `x509: certificate signed by unknown authority` problem when registering runner.**
     6  
     7  The GitLab Runner provides these options:
     8  
     9  1. **Default**: GitLab Runner reads system certificate store and verifies the GitLab server against the CA's stored in system.
    10  
    11  2. GitLab Runner reads the PEM (**DER format is not supported**) certificate from predefined file:
    12  
    13          - `/etc/gitlab-runner/certs/hostname.crt` on *nix systems when gitlab-runner is executed as root.
    14          - `~/.gitlab-runner/certs/hostname.crt` on *nix systems when gitlab-runner is executed as non-root,
    15          - `./certs/hostname.crt` on other systems.
    16  
    17          If address of your server is: `https://my.gitlab.server.com:8443/`.
    18          Create the certificate file at: `/etc/gitlab-runner/certs/my.gitlab.server.com.crt`. 
    19  
    20  3. GitLab Runner exposes `tls-ca-file` option during registration and in [`config.toml`](advanced-configuration.md)
    21  which allows you to specify custom file with certificates. This file will be read everytime when runner tries to
    22  access the GitLab server.
    23  
    24  ### Git cloning
    25  
    26  The runner injects missing certificates to build CA chain to build containers.
    27  This allows the `git clone` and `artifacts` to work with servers that do not use publicly trusted certificates.
    28  
    29  This approach is secure, but makes the runner a single point of trust.