Artifacts upload fails due to self-signed certificate
We're using GitLab with a self-signed certificate on an internal server. The (virtual) machine uses Ubuntu 14.04 LTS, the certificate has been added with update-ca-certificates in both the runner's host as well as the docker image used for the tests.
A quick test with curl https://INTERNAL_DOMAIN or docker run -i INTERNAL_UBUNTU_WITH_CA_CERTS curl https://INTERNAL_DOMAIN shows that curl respects the certificate. However, the artifacts cannot get uploaded:
gitlab-ci-multi-runner 0.7.1 (ee7a001)
Using Docker executor with image ubuntu ...
Pulling docker image gitlab/gitlab-runner:build ...
Pulling docker image ubuntu:latest ...
Running on runner-fec339cc-project-6-concurrent-0 via test-machine...
Fetching changes...
Removing artifacts.tgz
Removing example.out
HEAD is now at dd63980 Fix Ubuntu image
Checking out ca09dd1a as master...
Previous HEAD position was dd63980... Fix Ubuntu image
HEAD is now at ca09dd1... GitLab YAML test
$ touch example.out
Archiving artifacts...
INFO[0000] Creating archive artifacts.tgz ...
INFO[0000] Done!
Uploading artifacts...
4.0K artifacts.tgz
curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.One can reproduce this with a project that contains only the following .gitlab-ci.yml:
image: ubuntu:trusty
stages:
- build
test:
stage: build
script: touch example.out
artifacts:
paths:
- example.outThe runner is configured as
concurrent = 2
[[runners]]
name = "test-machine"
url = "https://INTERNAL_DOMAIN/ci/"
token = "xxxxxxx"
limit = 1
executor = "docker"
[runners.docker]
image = "INTERNAL_UBUNTU_WITH_CA_CERTS"
privileged = false
volumes = ["/cache"]
allowed_images = ["gcc:*", "ubuntu:trusty", "INTERNAL_UBUNTU_WITH_CA_CERTS"]I guess this happens due to the docker configuration, since both curl and docker run -i INTERNAL_UBUNTU_WITH_CA_CERTS curl work on the host.
Any chance to have the runner respect the local (trusted) certificates? Alternatively, could we get some use_unsafe_curl_https option for the configuration, that will use --insecure?
Activity
Yes, this happens, because everything is executed within docker container (which is separate from host system).
I think that we should extend
gitlab-runner archiveto allow uploading of artifacts. Then we can pass GitLab certificate to build environment. I'm not sure that this is good idea to disable certificate checking for curl.Maybe for now till we implement proper solution we could support
GIT_SSL_NO_VERIFY? https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/configuration/tls-self-signed.md#git-cloningReassigned to @ayufan
Definitely don't want the default to be not checking…
@mcfedr Me neither. I just want
curlto respect the host's/etc/ssl/certs(or whatever curl's using on the distribution). The--insecurewould be a cheap (unsafe) workaround (which would work well for completely isolated networks) and should get a big red warning disclaimer, if it was ever added.Edited by username-removed-331521The latest Bleeding Edge build from https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/builds/395886 works fine for me. Now artifact uploads are working on docker. (see #75 (closed))
I updated my
gitlab-ci-multi-runnerto1.0.0~beta.5.gf1300da (f1300da)using thehttps://s3.amazonaws.com/gitlab-ci-multi-runner-downloads/master/…URL that matches my OS.Edited by username-removed-15084
