Push docker image to GitLab registry with self signed certificate (the dirty way)

I wanted to use GitLabs CI/CD feature using a GitLab runner. With a privileged container running docker:dind I’m able to build an image inside another image. That already works fine. I wanted the addition push to the registry after building. But the selfsigned certificate stopped me.

x509: certificate signed by unknown authority

Building my own image based on docker:dind

My first try was to build my own image based on docker:dind. Here is the full Dockerfile for that:

FROM docker:dind

COPY veloc1tyNetworksRootCA.crt /usr/local/share/ca-certificates
RUN update-ca-certificates

VOLUME ["/var/lib/docker"]
EXPOSE 2375
ENTRYPOINT ["dockerd-entrypoint.sh"]
CMD []

The file veloc1tyNetworksRootCA.crt contains the certificate of my internal certificate authority. With that I should get rid of the error message. It probably did, but DNS resolution now fails:

error during connect: Post http://docker:2375/v1.39/auth: dial tcp: lookup docker on 10.20.20.2:53: no such host

Somehow the DNS lookup for “docker” is now passed on to my local DNS resolver. Normally the DNS lookup should’ve been intercepted and answered by the docker daemon.
After some debugging attempts I gave up.

Skipping certifiacte checking

I ended up using the original docker:dind image and skipped the certificate check. This can be done by adding a command to the corresponding service. Here is an example .gitlab-ci.yml file:

---
stages:
    - build

create_docker_image:
    variables:
        DOCKER_HOST: tcp://docker:2375/
        DOCKER_DRIVER: overlay2
        GIT_DEPTH: 1
    image: docker:dind
    stage: build
    only:
        - master
    services:
        - name: docker:dind
          command: ["--insecure-registry=git.veloc1ty.lan:4567"]
    tags:
        - docker-privileged
    script:
        - "docker --version"
        - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN git.veloc1ty.lan:4567
        - docker build -t git.veloc1ty.lan:4567/veloc1ty/mycoolcontainer:latest .
        - docker push git.veloc1ty.lan:4567/veloc1ty/mycoolcontainer:latest

With --insecure-registry=git.veloc1ty.lan:4567 I was able to skip certificate checking. That’s not cool but any other solution did not help. Making the registry public using a Let’s Encrypt TLS certificate was not an option.

What else I’ve tried and not

Besides trying to build my own image I tried the following:

• Adding the CA certificate to the Linux running my GitLab runner (this was done before before by ansible)
• Adding the CA certtificate to /etc/docker/certs.d using various styles of writing the hostname + port

What I’ve not tried: Adapting the GitLab runner config to mount additional directories inside containers.

Using insecure registries with Docker Desktop on Mac

The error message about the untrusted certificate is also present on my Mac. Adding the CA certificate to the Mac keyring is not an option, because docker is running in a VM. You would have to add the certificate to the docker vm. Way too much fiddling.

The solution is to add the insecure-registries key to the daemon.json. This can be done via GUI:

Click on Docker Desktop Icon in the top taskbar -> Preferences -> Daemon -> Advanced. You should get the following JSON:

{
  "debug" : true,
  "experimental" : false
}

Now you can add your insecure registries:

{
  "debug" : true,
  "insecure-registries" : [
    "git.veloc1ty.lan:4567"
  ],
  "experimental" : false
}

Hit Apply & Restart and wait until docker is up again. You should now be able to log in without a certificate error.