GitLab CI - Cannot Log In To Docker Registry (x509)

Question

I'm trying to get my GitLab CI/CD set up using the Docker executor and the docker-in-docker approach and am stuck on the the following issue:

In my .gitlab-ci.yml I am attempting to establish a connection with GitLab's integrated docker registry for the project:

before_script:
   - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

However, the pipeline exits with the following error:

Error response from daemon: Get https://my.gitlab.server:1234/v2/: x509: certificate signed by unknown authority

I am able to log in to the registry and push/pull from the machine that the gitlab-runner is running on without issue, so I know that the certificate issue is not on the host machine. Additionally, I have tried creating a custom Docker image build from docker:latest which copies my certificates into the build container -- I tried putting it in both /etc/ssl/certs and /etc/docker/certs.d/my.gitlab.server:1234 -- without any success.

Any idea on where I need to put my cert or how I might otherwise get this resolved?

score 3 · Answer 1 · answered May 24 '18 at 17:29

3

When someone gets into this problem, I solved this adding the "insecure-registry" parameter to the docker dind service. But this is just a workaround, not a fix.

.gitlab-ci.yml

image: docker

services:
  - name: docker:dind
    command: ["--insecure-registry=gitlab.MYDOMAIN:PORT"]

before_script:
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

stages:
  - build

build:
  stage: build
  script:
    - docker build .......

answered May 24 '18 at 17:29

kwinkel

177
2
10

Thanks for this, spent ages trying to get this working. – Gavin Gilmour Nov 15 '18 at 14:39
1

is there a way to do that at login in the terminal? – Tim Oct 10 '20 at 00:30

score 0 · Answer 2 · answered Jul 08 '19 at 08:31

I found another (hacky) way to pass the --insecure-registry parameter to dockerd that doesn't involve customizing gitlab-ci.yml config files.

mkdir -p /etc/gitlab-runner/dindhack
cat << EOF > /etc/gitlab-runner/dindhack/dockerd-entrypoint.sh 
#!/bin/sh
/usr/local/bin/dockerd-entrypoint.sh --insecure-registry=gitlab.MYDOMAIN:PORT $@
EOF

And then you need to add the following mount point in your runner config.toml /etc/gitlab-runner/dindhack:/usr/local/sbin.

[[runners]]
  name = "###########"
  url = "###########"
  token = "###########"
  executor = "docker"
  [runners.docker]
    tls_verify = false
    image = "docker:stable"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache", "/etc/gitlab-runner/dindhack:/usr/local/sbin"]
    shm_size = 0
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]

GitLab CI - Cannot Log In To Docker Registry (x509)

2 Answers2