Register fails for untrusted certificates

After filling out everything which sudo gitlab-ci-multi-runner register requires I get:

ERRO[0019] xxx Registering runner... failed couldn't execute POST against https://git.example.com/ci/api/v1/runners/register.json: Post https://git.example.com/ci/api/v1/runners/register.json: x509: certificate signed by unknown authority
FATA[0019] Failed to register this runner. Perhaps you are having network problems

I'm using a self-signed certificate without a valid root-certificate. How can I trust this certificate so I can get the runner up and running?

#257 (closed) #261 (closed)

When i applied #257 (closed) i get

ERRO[0002] 1dae8a68 Registering runner... failed couldn't execute POST against https://mygitlab.example.com/ci/api/v1/runners/register.json: Post https://mygitlab.example.com/ci/api/v1/runners/register.json: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "mygitlab.example.com") 
FATA[0002] Failed to register this runner. Perhaps you are having network problems 

I think that #267 (closed) doesn't fit self-signed certificate or am i missing something?

@vala-martin You have some problem with your ssl certificate.

Yeah, the certificate chain is not complete but it should be useable nonetheless.

my gitlab web page is using this certificate without problem. I see problem with gitlab-ci-multi-runner register

@vala-martin Did you install ca-certifactes (if it's Ubuntu or Debian)?

I'm working on possibility to have local runner certificate store so this would solve the problem.

i use centos7

@vala-martin

Can you maybe try to use: yum install curl and then try again?

Package curl-7.29.0-19.el7.x86_64 already installed and latest version

$ curl https://mygitlab.example.com/ci/api/v1/runners/register.json
curl: (60) Issuer certificate is invalid.

@vala-martin If you resolve the curl problem, it will most likely resolve the gitlab-runner too.

i followed http://curl.haxx.se/docs/sslcerts.html, but no luck. Can you give me hint?

@hedgehog, did #257 (closed) and #261 (closed) fix your problems?

Hi there!

I had the same problem:

ERRO[0011] cabbbd8c Registering runner... failed couldn't execute POST against https://git.etaminstud.io/ci/api/v1/runners/register.json: Post https://git.mycompany.com/ci/api/v1/runners/register.json: x509: certificate signed by unknown authority
FATA[0011] Failed to register this runner. Perhaps you are having network problems
root@ci-runner1:/usr/local/share/ca-certificates# curl https://git.mycompany.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

First, check the certificate chain:

$ openssl s_client -connect git.mycompany.com:443

In my case I had:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=git.mycompany.com
   i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2

It means that on my Gitlab instance, I was using a simple SSL certificate, not chained to an intermediate certificate or cross-signed certificate. That was the issue.

Here is how I solved it on my Gitlab omnibus instance:

$ cd /etc/gitlab/ssl

Download the intermediate certificate from your provider (mine is Gandi.net, documentation here):

$ wget https://www.gandi.net/static/CAs/GandiProSSLCA.pem

It should include the Cross-Signed Certificate.

$ cat GandiProSSLCA.pem
-----BEGIN CERTIFICATE-----
XXXXXXXXX   <- intermediate certificate from your SSL provider
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXX   <- cross-signed certificate
-----END CERTIFICATE-----

If the one from your provider it does not, you have to do it yourself.

Then, concatenate this certificate bundle with your own certificate:

$ cat git.mycompany.com.crt GandiStandardSSLCA2.pem > git.mycompany.com.chained.crt
$ mv git.mycompany.com.crt git.mycompany.com.crt.bak
$ mv git.mycompany.com.chained.crt git.mycompany.com.crt

Reconfigure and restart

$  sudo gitlab-ctl reconfigure
$  sudo gitlab-ctl restart

If nginx has trouble restarting, there is something wrong with the way you concatenated your certificates. Make sure they were all in the same format (DER or PEM).

Then, from your gitlab-ci-multi-runner instance, check the certificate chain:

$ openssl s_client -connect git.mycompany.com:443

You should see something like this:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=git.mycompany.com
   i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

You should now be able to register your runner.

@ayufan the runner has diffinitly a problem, curl successfully reaches gitlab using --cacert on the container.

temporary workaround on ubuntu images:

create an alternative entryoint `/entrypoint2``

# this will trust the certificate at the os level, and allow the runner to register.
cp /etc/gitlab-runner/certs/ca.crt /usr/local/share/ca-certificates/[WHATEVER_NAME].crt
update-ca-certificates
/entrypoint $@

and then

docker run -v CA_CERTIFICATE:/etc/gitlab-runner/certs/ca.crt -v entrypoint:/entrypoint2 --entrypoint /entrypoint2 gitlab/gitlab-runner:latest

BUT the issue perssist with docker runners, git doesn't trust the certificate on builds with the following error

Cloning into '/builds/xxxxx'...
fatal: unable to access 'https://gitlab-ci-token:xxxxxx@repos/repo.git':
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I guess the runner must inform git to trust the CA on the created build containers too.

I have solution for that problem. However, I need a few more days to finish the stuff.

Reassigned to @ayufan

Milestone changed to v0.7.0

The support for self-signed certificates is in Bleeding Edge release. It should be live in 0.7.0.

Please check the docs: https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/configuration/tls-self-signed.md

Status changed to closed

@ayufan I read the doc and it's promising so far, I just would like to suggest make the runner automatically mount the certificate file corresponding to gitlab host in the created containers (docker mode), I think about the standard path /etc/ssl/certs/gitlab-trusted.crt, this way instead of using GIT_SSL_NO_VERIFY just automatically provide the GIT_SSL_CAINFO

@g13013 I thought about it. Maybe someone can contribute that feature?

At least you are not against the idea, I will try to find a time to do it

You need both CA certificate and server certificate to make self-signed certificates work. See this gist for a full example.

Using a plain self-signed certificate without a CA fails with x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "example.com") ← note the parent certificate cannot sign this kind of certificate part of the error message.

Any news here ? I'm stuck with this certificate problem.

yep. same problem here

Hey there, I solved my issue, checkout https://stackoverflow.com/questions/44458410/gitlab-ci-runner-ignore-self-signed-certificate if it can help..

Things I did: since I am no certificate expert, and our certificate department may need days to respond,

1: ex +'g/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect ourserver.com:443) -scq copy that in the path in the runner is /etc/gitlab-runner/certs/ourserver.com.crt

2: I have copied and pasted in a single file all the certificates that exists on our gitlab omnibus server.

every time the same errors.

yum info gitlab-ce
Failed to set locale, defaulting to C
Loaded plugins: aliases, changelog, fastestmirror, kabi, langpacks, tmprepo, verify, versionlock
Loading support for Red Hat kernel ABI
Loading mirror speeds from cached hostfile
 * base: mirrors.ircam.fr
 * epel: mirrors.ircam.fr
 * extras: centos.mirror.ate.info
 * updates: mirrors.ircam.fr
Installed Packages
Name        : gitlab-ce
Arch        : x86_64
Version     : 9.3.2
Release     : ce.0.el7
Size        : 1.0 G
Repo        : installed
From repo   : gitlab_gitlab-ce
Summary     : GitLab Community Edition (including NGINX, Postgres, Redis)
URL         : https://about.gitlab.com/
License     : MIT
Description : GitLab Community Edition (including NGINX, Postgres, Redis)

the path in the runner is /etc/gitlab-runner/certs/ourserver.com.crt

gitlab-runner --version
Version:      9.3.0
Git revision: 3df822b
Git branch:   9-3-stable
GO version:   go1.7.5
Built:        Thu, 22 Jun 2017 10:57:22 +0000
OS/Arch:      linux/amd64

gitlab-runner register --non-interactive --url https://ourserver.com/ --registration-token "yALSNBKJCznSsK5zsnzZ"
Running in system-mode.

ERROR: Registering runner... failed                 runner=yALSNBKJ status=couldn't execute POST against https://ourserver.com/api/v4/runners: Post https://ourserver.com/api/v4/runners: x509: certificate signed by unknown authority
ERROR: Checking GitLab compatibility... not-compatible  reason=GitLab Runner >= 9.0 can be used ONLY with GitLab CE/EE >= 9.0 result=-1 runner=yALSNBKJ statusText=couldn't execute POST against https://ourserver.com/api/v4/runners/verify: Post https://ourserver.com/api/v4/runners/verify: x509: certificate signed by unknown authority
PANIC: Failed to register this runner. Perhaps you are having network problems

Hello, sorry I can't help you on this one :(