Gitlab-CI runner: ignore self-signed certificate

Asked 9/6, 2017 at 12:55 Answered 8/10, 2023 at 8:24

Solved go gitlab gitlab-ci gitlab-ci-runner gitlab-8

gitlab-ci-multi-runner register

gave me

couldn't execute POST against https://xxxx/ci/api/v1/runners/register.json:
Post https://xxxx/ci/api/v1/runners/register.json: 
x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs

Is there a way to disable certification validation?

I'm using Gitlab 8.13.1 and gitlab-ci-multi-runner 1.11.2.

Trot answered 9/6, 2017 at 12:55 Comment(0)

Based on Wassim's answer, and gitlab documentation about tls-self-signed and custom CA-signed certificates, here's to save some time if you're not the admin of the gitlab server but just of the server with the runners (and if the runner is run as root):

SERVER=gitlab.example.com
PORT=443
CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt

# Create the certificates hierarchy expected by gitlab
sudo mkdir -p $(dirname "$CERTIFICATE")

# Get the certificate in PEM format and store it
openssl s_client -connect ${SERVER}:${PORT} -showcerts </dev/null 2>/dev/null | sed -e '/-----BEGIN/,/-----END/!d' | sudo tee "$CERTIFICATE" >/dev/null

# Register your runner
gitlab-runner register --tls-ca-file="$CERTIFICATE" [your other options]

Update 1: CERTIFICATE must be an absolute path to the certificate file.

Update 2: it might still fail with custom CA-signed because of gitlab-runner bug #2675

Underpart answered 9/11, 2017 at 16:13 Comment(7)

This should be the accepted answer IMHO. This is way better than recreating the certificate/dhparam and editing server configuration files. – Katheryn 28/9, 2018 at 9:26

This solution also works for Windows: simply get the certificate from the server, place it in the same directory as the runner exe and add it in config.toml as "tls-ca-file" under "[[runners]]". – Katheryn 28/9, 2018 at 9:27

What is the PORT=443? – Conservative 14/1, 2019 at 11:34

To contact your server, you need its hostname and port. Here those are just examples. Port 443 is the usual port where a web server listens for HTTPS conections. – Underpart 16/1, 2019 at 12:33

This is the best answer I've encoured. – Epithalamium 13/8, 2019 at 6:35

i ran in to this ` x509: certificate signed by unknown authority` error, but oddly just sudo'ed during register and got past the error! sudo gitlab-runner register .... – Vigilance 29/4, 2020 at 5:43

I followed all steps described above using openssl and also tried to generate ,pem flle but still getting this error ERROR: Registering runner... failed runner=VxUKPa5q status=couldn't execute POST against 172.16.53.241/api/v4/runners: Post "172.16.53.241/api/v4/runners": x509: certificate has expired or is not yet valid: current time 2022-02-13T11:58:12-05:00 is after 2022-01-28T15:25:11Z PANIC: Failed to register the runner. You may be having network problems. – Boney 13/2, 2022 at 17:3

In my case I got it working by adding the path to the .pem file as following:

sudo gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem

Often, gitlab-runners are hosted in a docker container. In that case, one needs to make sure that the tls-ca-file is available in the container.

Masculine answered 19/1, 2018 at 19:2 Comment(3)

IMO the correct answer. The only explanation I judge important is on how to obtain a .PEM (or .CRT) file for the server. I did it by visiting my GitLab instance URL on Firefox, then clicked on the lock icon at the address bar, navigated to "More Information" about the connection, "Security", "View Certificate", "Details", clicked at the GitLab line at "Certificate Hierarchy", and then "Export"ed the certificate as a PEM file. – Trudeau 26/4, 2019 at 14:49

You're a life saver! – Evangelista 8/5, 2019 at 14:8

This worked for me, with a small tweak. I had to make sure to use the domain name that was in the cert when registering the runner, rather than the IP address alone, meaning https://gitlab.local.com vs https://10.0.0.10, even though gitlab's runner registration page listed the IP based URL. Hopefully this will be helpful to someone! – Made 21/2, 2020 at 5:52

Ok I followed step by step this post http://moonlightbox.logdown.com/posts/2016/09/12/gitlab-ci-runner-register-x509-error and then it worked like a charm. To prevent dead link I copy the steps below:

First edit ssl configuration on the GitLab server (not the runner)

vim /etc/pki/tls/openssl.cnf

[ v3_ca ]
subjectAltName=IP:192.168.1.1 <---- Add this line. 192.168.1.1 is your GitLab server IP.

Re-generate self-signed certificate

cd /etc/gitlab/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/192.168.1.1.key -out /etc/gitlab/ssl/192.168.1.1.crt
sudo openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
sudo gitlab-ctl restart

Copy the new CA to the GitLab CI runner

scp /etc/gitlab/ssl/192.168.1.1.crt [email protected]:/etc/gitlab-runner/certs

Thanks @Moon Light @Wassim Dhif

Trot answered 10/6, 2017 at 16:28 Comment(1)

command line add subjectAltName ref : security.stackexchange.com/questions/74345/… ie:

-extensions san -config <(echo '[req]'; echo 'distinguished_name=req';echo '[san]'; echo 'subjectAltName=IP:192.168.101.100')

– Starstudded 9/1, 2019 at 16:43

Currently there is no possibility to run the multi runner with an insecure ssl option.

There is currently an open issue at GitLab about that.

Still you should be able to get your certificate, make it a PEM file and give it to the runner command using --tls-ca-file

To craft the PEM file use openssl.
openssl x509 -in mycert.crt -out mycert.pem -outform PEM

Ferromagnetism answered 9/6, 2017 at 13:11 Comment(1)

Thanks @wassim Dhif I also found this github.com/ayufan/gitlab-ci-multi-runner/blob/master/docs/… but still stuck.. – Trot 9/6, 2017 at 15:17

In my setup the following the following worked as well. It's just important that IP/Name used for creating certificate matches IP/Name used for registering the runner.

gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem

Furthermore, it could be necessary to add a line for hostname lookup to the runners config.toml file also (section [runners.docker]): extra_hosts = ["git.domain.com:192.168.99.100"] see also https://gitlab.com/gitlab-org/gitlab-runner/issues/2209

In addition, there could be some network-trouble if for gitlab/gitlab-runner network-mode host is used, it has to be added to the config.toml as well, as it starts additional containers, which otherwise could have a problem to connect to the gitlab-host ((section [runners.docker]): network_mode="host"

Finally, there might be an issue with the self-signed SSL-Cert (https://gitlab.com/gitlab-org/gitlab-runner/issues/2659). A dirty workaround is to add environment = ["GIT_SSL_NO_VERIFY=true"] to the [[runners]] section.

Nonperformance answered 7/3, 2018 at 7:7 Comment(0)

The following steps worked in my environment. (Ubuntu)

Download certificate
I did not have access to the gitlab server. Therefore,

Open https://some-host-gitlab.com in browser (I use chrome).
View site information, usually a green lock in URL bar.
Download/Export certificate by navigating to certificate information(chrome, firefox has this option)

In gitlab-runner host

Rename the downloaded certificate with .crt

$ mv some-host-gitlab.com some-host-gitlab.com.crt
Register the runner now with this file

$ sudo gitlab-runner register --tls-ca-file /path/to/some-host-gitlab.com.crt

I was able to register runner to a project.

Ashcraft answered 20/12, 2018 at 2:45 Comment(0)

I ran into the same issue, in my case I had to generate SANs SSL certificate with the following commands (replace the vars with your specific environment) :

openssl genrsa -out ca.key 2048

openssl req -new -x509 -days 365 -key ca.key -subj "/C=__country__/ST=__state_or_province__/L=__locality__/O=__organisation(s)__/CN=__common_name__" -out ca.crt

openssl req -newkey rsa:2048 -nodes -keyout __domain_name__.key -subj "/C=__country__/ST=__state_or_province__/L=__locality__/O=__organisation(s)__/CN=__common_name__" -out __domain_name__.csr

openssl x509 -req -extfile <(printf "subjectAltName=DNS:__domain_name_could__use_wildcard__") -days 365 -in __domain_name__.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out __domain_name__.crt

cheat sheet for certificate identifier properties : https://www.ibm.com/docs/en/ibm-mq/7.5?topic=certificates-distinguished-names

You might need to change some configurations in /etc/gitlab/gitlab.rb

nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/__domain_name__.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/__domain_name__.key"

Think to reconfigure and restart you gitlab server after.

gitlab-ctl reconfigure
gitlab-ctl restart

You can check if your certificate have been correctely updated with the following command

openssl s_client -connect __domain_name__:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:

The output should be "DNS:domain_name"

Then I simply transfered the domain_name.crt file generated on the gitlab server to the gitlab runner into /etc/gitlab_runner/certs, like suggested by the response above

And that's it, after that I was able to register my runner.

Arpeggio answered 8/10, 2023 at 8:24 Comment(1)

This answer is valid. GitLab runner agents require a Subject Alternate Name (SAN) in the certificate. This answers complements the accepted answer – Roadhouse 17/10, 2023 at 14:51

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags