When using GitLab and the CI/CD for building docker images you may stumble on such error using the “docker:dind” (dind stands for docker in docker) image:
$ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $REGISTRY_URL WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://gitlab.ahelpme.com:4567/v2/: x509: certificate signed by unknown authority ERROR: Job failed: exit code 1
In our case, because “docker build” command needs a docker service to be running and the GitLab runner needs to provide this docker service so docker:dind is our best option! A self-signed certificate could be really difficult to use in such a big platform as GitLab, but no matter whatever might be the reasons to use docker service in a docker container you may need to use a custom registry with a self-signed certificate!
There are two options to use self-signed certificates with docker:
- Add the self-signed certificate in “/etc/docker/certs.d/[custom_registry]/ca.crt”. custom_registry must include the port, for example: “/etc/docker/certs.d/gitlab.example.com\:4567/ca.crt” and restart the docker service! This could be difficult when you use GitLab CI/CD and .gitlab-ci.yml
- Add “–insecure-registry” in docker configuration and restart. Apperantly it is easier than the first option when using GitLab CI/CD .gitlab-ci.yml.
The solution
In the GitLab CI/CD file .gitlab-ci.yml add two options (entrypoint, command) to the services, which provides the “dind” (docker in docker). The start of your should start with something like:
image: docker:18.09.7 services: - name: docker:18.09.7-dind entrypoint: ["dockerd-entrypoint.sh"] command: ["--insecure-registry", "gitlab.ahelpme.com:4567"]
Of course, replace the “gitlab.ahelpme.com:4567” with your custom docker registry domain.