I am not able to have a successful run of the autodevops pipeline. I have gone through multiple tutorials, guides, issues, fixes, workarounds but I now reached a point where I need your support.
I have a home kubernetes cluster (two VMs) and a GitLab server using HTTPS. I have set up the cluster and defined it in a GitLab group level (helm, ingress, runner installed). I have to do few tunings to be able to make the runner register in gitlab (it was not accepting the certificate initially).
Now when I run the autodevops pipeline, I get an error in the logs as below:
Running with gitlab-runner 11.9.0 (692ae235)
on runner-gitlab-runner-5976795575-8495m cwr6YWh8
Using Kubernetes namespace: gitlab-managed-apps
Using Kubernetes executor with image registry.gitlab.com/gitlab-org/cluster-integration/auto-build-image/master:stable ...
Waiting for pod gitlab-managed-apps/runner-cwr6ywh8-project-33-concurrent-0q7bdk to be running, status is Pending
Running on runner-cwr6ywh8-project-33-concurrent-0q7bdk via runner-gitlab-runner-5976795575-8495m...
Initialized empty Git repository in /testing/helloworld/.git/
Fetching changes...
Created fresh repository.
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.mydomain.com/testing/helloworld.git/': SSL certificate problem: unable to get issuer certificate
I have tried many workarounds like adding the CA certificate of my domain under /home/gitlab-runner/.gitlab-runner/certs/gitlab.mydomain.com.crt
but still no results.
There is a list of solutions for this problem presented here: https://gitlab.com/gitlab-org/gitlab-runner/issues/2659
The most likely but crude solution is: open /etc/gitlab-runner/config.toml and modify as follows:
[[runners]]
environment = ["GIT_SSL_NO_VERIFY=true"]
Then restart the gitlab runner.
Your error occurs when a self-signed certificate can't be verified.
Another workaround than adding CA certificate is forcing git to not perform the validation of the certificate using the global option:
$ git config --global http.sslVerify false
The gitlab runner doesn't utilize the truststore of the host OS that the gitlab-runner is installed on. The error you are getting is because GitLab-runner cannot validate the certificate your GitLab server is providing. This is likely caused by one of two things. 1) Your GitLab server is providing a self signed cert. 2) If you are not using a self signed cert, GitLab-runner is unable to validate the cert because one of the certificates in the certificate chain is missing (the root CA cert or an intermediate CA cert).
Solution: You need to provided GitLab-runner with the certificates that you want it to trust. Either your self signed CA cert, and self signed certificate (for scenario 1), or the full certificate chain: GitLab server certificate > intermediate CA certificate > root CA certificate.
How to do this:
1) create a fullCertChain.crt file, and paste the full certificate chain into that file.
2) Copy that fullCertChain.crt somewhere onto your gitlab-runner server, such as at /etc/gitlab-runner/ca-certs
3) Modify /etc/gitlab-runner/config.toml on the gitlab-runner server. In the [[runners]] section, add this line:
[[runners]]
tls-ca-file = "/etc/gitlab-runner/ca-certs/fullCertChain.crt"
4) restart the gitlab-runner to have the changes picked up (I don't think this step is actually needed, but I did it just in case)
sudo gitlab-runner start
5) verify the runner started back up correctly:
sudo gitlab-runner list
Your GitLab runner should now be able to connect back to your https://gitlabHost