To fix x509: certificate signed by unknown authority on linux runner - jrcloudsolutions/tidbits GitHub Wiki

I was getting the following error when running a pipeline on a RHEL 9 runner when trying to download an artifact:

ERROR: Downloading artifacts from coordinator... error couldn't execute GET against https://gitlab-dev.avmc.army.mil..........tls: failed to verify certificate: x509: certificate signed by unknown authority id=125 token=glcbt-64

The problem was fixed when the /certs directory was created etc/gitlab-runner folder and the web server, intermediate and root certs were added to the gitlab-dev.army.mil.crt file. At the beginning I was only loading the web server .crt based on the instructions below and then using openssl to verify that it was installed properly, but it needed the entire certificate chain.

Read the section: Read a PEM certificate: GitLab Runner reads the PEM certificate (DER format is not supported) from a predefined file:....

openssl s_client -showcerts -connect gitlab.example.com:443 -servername gitlab.example.com < /dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/gitlab-runner/certs/gitlab.example.com.crt

echo | openssl s_client -CAfile /etc/gitlab-runner/certs/gitlab.example.com.crt -connect gitlab.example.com:443 -servername gitlab.example.com

Source: https://docs.gitlab.com/runner/configuration/tls-self-signed/