Join Log in
Score:0
NBajanca avatar Server

GitLab Runner for GitLab server with CA signed certificate failing with: self signed certificate in certificate chain

md flag
NBajanca

My company changed the Certification Authority (it was a single CA and now we have a root CA and an intermediate CA). I changed the configuration in the GitLab instance with success and moved to the runner (that is on a Ubuntu 18.04.5 LTS). I tried to follow the GitLab docs without success.

I followed the default approach here that says "Default - Read the system certificate", and so I added the certificates (CA and Intermediate) to the Ubuntu CA list. Everything seemed to work because the runner appears in GitLab.

I start a job and I get:

Running with gitlab-runner 11.5.0 (3afdaba6)
  on RUN01 12ccbb74
Using Docker executor with image node:latest ...
Pulling docker image node:latest ...
Using docker image sha256:ab773999a02271b25a9f3bce46018fc3ad46a7f922a5e3e8712b6d1c7087c415 for node:latest ...
Running on runner-12ccbb74-project-73-concurrent-0 via (...)...
00:02
Fetching changes...
00:01
HEAD is now at 60b6860 Update dependency mocha to v9
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@(...).git/': SSL certificate problem: unable to get issuer certificate
ERROR: Job failed: exit code 1

I then added (on the GitLab instance) the complete chain to the certificate file, and the error changed to SSL certificate problem: self signed certificate in certificate chain.

My logic*: It works for Ubuntu, but it doesn't for Docker. So I moved to the Trusting TLS certificates for Docker and Kubernetes executors section.

What I've tried so far, without success:

  1. I added the Root CA certificate to /etc/gitlab-runner/certs/ca.crt.
  2. I also tried with a file with the Root CA and Intermediate CA in a chain.
  3. I added volumes = ["/cache", "/path/to-ca-cert-dir/ca.crt:/etc/gitlab-runner/certs/ca.crt:ro"] to the config.toml file. But I'm almost sure I should replace /path/to-ca-cert-dir with something. I just don't know what.

*Update: When I installed the GitLab Runner I followed Install using the GitLab repository for Debian/Ubuntu/CentOS/RedHat, so Docker/K8s instructions didn't make sense. I posted an answer on how I was able to solve this.

2537
0 + 0
Score:1
NBajanca avatar Server
md flag
NBajanca

I was able to make it work following the third option in Supported options for self-signed certificates targeting the GitLab server, that says:

Read a PEM certificate: GitLab Runner reads the PEM certificate (DER format is not supported) from a predefined file:

/etc/gitlab-runner/certs/hostname.crt on *nix systems when GitLab Runner is executed as root.

If your server address is https://my.gitlab.server.com:8443/, create the certificate file at: /etc/gitlab-runner/certs/my.gitlab.server.com.crt.

So I just added the complete chain (GitLab certificate, Intermediate, Root) to a file name /etc/gitlab-runner/certs/<gitlab-url>.crt. Restarted the services with gitlab-runner restart and the job is working.

0 + 0
ahogen avatar
us flag
ahogen
The `volume = [..., "path/to/ca.crt:/etc/gitlab-runner/certs/ca.crt:ro"]` method had been working fine for me with Docker executors on an Ubuntu host, with both Ubuntu and CentOS containers. But in trying to transition from a Docker executor to Podman, I ran into this, specifically when the GitLab helper image clones/fetches the git repo. Putting a copy of my cert in the Host's dir as you describe fixed it!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.