Unable to register a own gitlab container registry in portainer with self signed cert - x509: certificate signed by unknown authority

[Spotterday]

Before you start, we need a little bit more information from you:

Use Case (delete as appropriate): Using Portainer at Home
Have you reviewed our technical documentation and knowledge base? Yes

Hi team,

i´m running currently Portainer Business Edition 2.16.1 on an raspberry 4b

root@DC:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

with an additional gitlab container in a macvlan. Both portainer and gitlab are in the same subnet 192.168.10.0/24 without any fw restrictions.
Everything working fine at the moment, but only the registry makes problem and that only under portainer.
I´m unable to register my registry as gitlab or custom registry.

My gitlab container is deployed with an ENV GITLAB_OMNIBUS_CONFIG :

GITLAB_OMNIBUS_CONFIG = external_url 'https://gitlab.fritz.box'; nginx['ssl_certificate']='/etc/gitlab/ssl/gitlab.fritz.box.crt'; nginx['ssl_certificate_key']='/etc/gitlab/ssl/gitlab.fritz.box.key'; nginx['redirect_http_to_https'] = true; registry_external_url 'https://gitlab.fritz.box';

Gitlab GIT repositories and the registry itself is accessible via HTTPS, no problem, push / pull and search working from my pi and clients

root@DC:~# docker login gitlab.fritz.box
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@DC:~#
root@DC:~# docker image ls
REPOSITORY                           TAG       IMAGE ID       CREATED       SIZE
prom/prometheus                      latest    a00b74087dc1   7 days ago    217MB
portainer/portainer-ee               latest    f99462e8df3a   7 days ago    306MB
grafana/grafana                      latest    f49d00abd1b4   8 days ago    325MB
jc21/nginx-proxy-manager             latest    2991a96e6ce3   8 days ago    894MB
yrzr/gitlab-ce-arm64v8               latest    3660ef2462ab   13 days ago   2.72GB
vaultwarden/server                   latest    cefd907bbaa1   4 weeks ago   242MB
pihole/pihole                        latest    49155d3d8ea7   5 weeks ago   310MB
nubacuk/docker-openvpn               aarch64   71809ab4daef   6 weeks ago   13.3MB
gitlab.fritz.box/spotterday/docker   latest    71809ab4daef   6 weeks ago   13.3MB
gitlab.fritz.box/spotterday/test     latest    71809ab4daef   6 weeks ago   13.3MB

root@DC:~# docker image ls gitlab.fritz.box/spotterday/test
REPOSITORY                         TAG       IMAGE ID       CREATED       SIZE
gitlab.fritz.box/spotterday/test   latest    71809ab4daef   6 weeks ago   13.3MB

I also attached by CA certificate to /etc/ssl/certs/ca-certificates.crt and also update-ca-certificates.
Even i pushed the gitlab chain cert to /etc/docker/certs.d/gitlab.fritz.box:443/ca.crt

But when i try to register my registry as gitlab registry in portainer i got the message "Unable to retrieve projects"
and my docker log shows :

root@DC:~# docker logs portainer
{"time":1668615549,"message":"http: proxy error: x509: certificate signed by unknown authority"}

I´m confuesed Portainer uses the docker from my pi or does it have its own "client / cli" instance ?
Maybe someone has a hint for me

I tried also with

root@DC:~# cat /etc/docker/daemon.json
{
        "iptables": false,
        "insecure-registries" : ["gitlab.fritz.box:443"]
}

[jamescarppe]

Portainer includes within the image it's own versions of the Docker binaries, so changes that you make at the host side may not affect the tooling that Portainer itself uses.

In saying that, we don't currently support custom CAs for custom registries. This is something we're looking at for the future, though.

[atol71]

This enforces to open up the system to WAN for certificate in some cases.