Skip to content

Gitlab-CI-Runner can't authenticate against a Gitlab instance that uses an SSL certificate signed by an authority with name-constraints

Summary

In my company, we use a local infrastructure CA which has a name-constraint so it can only be used to sign certificates for our internal infrastructure. The relevant parts of openssl x509 -text on the CA certificate look like this:

X509v3 Name Constraints: critical
    Permitted:
        DNS:.example.net

The gitlab instance uses a certificate with the following SAN:

X509v3 Subject Alternative Name:
    DNS:gitlab.example.net

When I now try to register a CI runner against that instance, with the infrastructure CA in the hosts certificate store, the registration fails and the runner claims that the CA is not forbidden from signing the certificate for the Gitlab instance.

The root issue seems to be that the version of Go the runner was built with still has the this Go bug.

Steps to reproduce

  1. Create an SSL CA certificate with a DNS name constraint that starts with a dot, i.e. DNS:.example.net
  2. Create an SSL certificate signed by that CA and set up a Gitlab instance to use that certificate
  3. Import the CA certificate into the certificate store of another machine
  4. Try to set up gitlab-ci-multi-runner on that second machine pointing to the Gitlab instance.

Actual behavior

The registration fails, claiming that the CA is not authorized to sign the certificate for the Gitlab instance.

Expected behavior

The registration successfully verifies the certificate used by the Gitlab instance and registration succeeds.

Relevant logs and/or screenshots

This is the output of the registration process. The CA is in the machines certificate store.

$ gitlab-ci-multi-runner register -n --url "https://gitlab.example.net" --registration-token "ThisAintMyToken"
Running in system-mode.

ERROR: Registering runner... failed                 runner=2y_gpzWG status=couldn't execute POST against https://gitlab.example.net/api/v4/runners: Post https://gitlab.example.net/api/v4/runners: x509: a root or intermediate certificate is not authorized to sign in this domain
ERROR: Checking GitLab compatibility... not-compatible  reason=GitLab Runner >= 9.0 can be used ONLY with GitLab CE/EE >= 9.0 result=-1 runner=2y_gpzWG statusText=couldn't execute POST against https://gitlab.example.net/api/v4/runners/verify: Post https://gitlab.example.net/api/v4/runners/verify: x509: a root or intermediate certificate is not authorized to sign in this domain
PANIC: Failed to register this runner. Perhaps you are having network problems

Used GitLab Runner version

I'm using the GitLab Runner from GitLab's Ubuntu repository:

$ gitlab-runner --version
Version:      9.2.0
Git revision: adfc387
Git branch:   9-2-stable
GO version:   go1.7.5
Built:        Mon, 22 May 2017 16:00:24 +0000
OS/Arch:      linux/amd64