gitlab.com/jfprevost/gitlab-runner-notlscheck@v11.11.4+incompatible/docs/configuration/tls-self-signed.md (about) 1 # The self-signed certificates or custom Certification Authorities 2 3 Since version 0.7.0 the GitLab Runner allows you to configure certificates that 4 are used to verify TLS peer when connecting to the GitLab server. 5 6 **This allows to solve the `x509: certificate signed by unknown authority` problem when registering runner.** 7 8 ## Supported options for self-signed certificates 9 10 GitLab Runner provides these options: 11 12 1. **Default**: GitLab Runner reads system certificate store and verifies the GitLab server against the CA's stored in system. 13 14 2. GitLab Runner reads the PEM (**DER format is not supported**) certificate from predefined file: 15 16 - `/etc/gitlab-runner/certs/hostname.crt` on *nix systems when gitlab-runner is executed as root. 17 - `~/.gitlab-runner/certs/hostname.crt` on *nix systems when gitlab-runner is executed as non-root, 18 - `./certs/hostname.crt` on other systems. 19 20 If the address of your server is: `https://my.gitlab.server.com:8443/`. 21 Create the certificate file at: `/etc/gitlab-runner/certs/my.gitlab.server.com.crt`. 22 23 > **Note:** You may need to concatenate the intermediate and server certificate 24 for the chain to be properly identified. 25 3. GitLab Runner exposes `tls-ca-file` option during registration and in [`config.toml`](advanced-configuration.md) 26 under the `[[runners]]` section which allows you to specify a custom file with certificates. This file will be read every time when runner tries to 27 access the GitLab server. 28 29 ## Git cloning 30 31 The runner injects missing certificates to build CA chain to build containers. 32 This allows the `git clone` and `artifacts` to work with servers that do not use publicly trusted certificates. 33 34 This approach is secure, but makes the runner a single point of trust.