GitLab Runner – Fix CA Signed Certificate Error

dockergitlabssl-certificateUbuntu

My company changed the Certification Authority (it was a single CA and now we have a root CA and an intermediate CA). I changed the configuration in the GitLab instance with success and moved to the runner (that is on a Ubuntu 18.04.5 LTS). I tried to follow the GitLab docs without success.

I followed the default approach here that says "Default – Read the system certificate", and so I added the certificates (CA and Intermediate) to the Ubuntu CA list. Everything seemed to work because the runner appears in GitLab.

I start a job and I get:

Running with gitlab-runner 11.5.0 (3afdaba6)
  on RUN01 12ccbb74
Using Docker executor with image node:latest ...
Pulling docker image node:latest ...
Using docker image sha256:ab773999a02271b25a9f3bce46018fc3ad46a7f922a5e3e8712b6d1c7087c415 for node:latest ...
Running on runner-12ccbb74-project-73-concurrent-0 via (...)...
00:02
Fetching changes...
00:01
HEAD is now at 60b6860 Update dependency mocha to v9
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@(...).git/': SSL certificate problem: unable to get issuer certificate
ERROR: Job failed: exit code 1

I then added (on the GitLab instance) the complete chain to the certificate file, and the error changed to SSL certificate problem: self signed certificate in certificate chain.

My logic*: It works for Ubuntu, but it doesn't for Docker. So I moved to the Trusting TLS certificates for Docker and Kubernetes executors section.

What I've tried so far, without success:

  1. I added the Root CA certificate to /etc/gitlab-runner/certs/ca.crt.
  2. I also tried with a file with the Root CA and Intermediate CA in a chain.
  3. I added volumes = ["/cache", "/path/to-ca-cert-dir/ca.crt:/etc/gitlab-runner/certs/ca.crt:ro"] to the config.toml file. But I'm almost sure I should replace /path/to-ca-cert-dir with something. I just don't know what.

*Update: When I installed the GitLab Runner I followed Install using the GitLab repository for Debian/Ubuntu/CentOS/RedHat, so Docker/K8s instructions didn't make sense. I posted an answer on how I was able to solve this.

Best Answer

I was able to make it work following the third option in Supported options for self-signed certificates targeting the GitLab server, that says:

Read a PEM certificate: GitLab Runner reads the PEM certificate (DER format is not supported) from a predefined file:

/etc/gitlab-runner/certs/hostname.crt on *nix systems when GitLab Runner is executed as root.

If your server address is https://my.gitlab.server.com:8443/, create the certificate file at: /etc/gitlab-runner/certs/my.gitlab.server.com.crt.

So I just added the complete chain (GitLab certificate, Intermediate, Root) to a file name /etc/gitlab-runner/certs/<gitlab-url>.crt. Restarted the services with gitlab-runner restart and the job is working.

Related Topic