gitlab-ci-multi-runner register
gave me
couldn't execute POST against https://xxxx/ci/api/v1/runners/register.json:
Post https://xxxx/ci/api/v1/runners/register.json:
x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs
Is there a way to disable certification validation?
I'm using Gitlab 8.13.1 and gitlab-ci-multi-runner 1.11.2.
On
Currently there is no possibility to run the multi runner with an insecure ssl option.
There is currently an open issue at GitLab about that.
Still you should be able to get your certificate, make it a PEM file and give it to the runner command using --tls-ca-file
To craft the PEM file use openssl.
openssl x509 -in mycert.crt -out mycert.pem -outform PEM
On
Ok I followed step by step this post http://moonlightbox.logdown.com/posts/2016/09/12/gitlab-ci-runner-register-x509-error and then it worked like a charm. To prevent dead link I copy the steps below:
First edit ssl configuration on the GitLab server (not the runner)
vim /etc/pki/tls/openssl.cnf
[ v3_ca ]
subjectAltName=IP:192.168.1.1 <---- Add this line. 192.168.1.1 is your GitLab server IP.
Re-generate self-signed certificate
cd /etc/gitlab/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/192.168.1.1.key -out /etc/gitlab/ssl/192.168.1.1.crt
sudo openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
sudo gitlab-ctl restart
Copy the new CA to the GitLab CI runner
scp /etc/gitlab/ssl/192.168.1.1.crt [email protected]:/etc/gitlab-runner/certs
Thanks @Moon Light @Wassim Dhif
On
In my case I got it working by adding the path to the .pem file as following:
sudo gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem
Often, gitlab-runners are hosted in a docker container. In that case, one needs to make sure that the tls-ca-file is available in the container.
On
In my setup the following the following worked as well. It's just important that IP/Name used for creating certificate matches IP/Name used for registering the runner.
gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem
Furthermore, it could be necessary to add a line for hostname lookup to the runners config.toml file also (section [runners.docker]):
extra_hosts = ["git.domain.com:192.168.99.100"]
see also https://gitlab.com/gitlab-org/gitlab-runner/issues/2209
In addition, there could be some network-trouble if for gitlab/gitlab-runner network-mode host is used, it has to be added to the config.toml as well, as it starts additional containers, which otherwise could have a problem to connect to the gitlab-host ((section [runners.docker]):
network_mode="host"
Finally, there might be an issue with the self-signed SSL-Cert (https://gitlab.com/gitlab-org/gitlab-runner/issues/2659).
A dirty workaround is to add
environment = ["GIT_SSL_NO_VERIFY=true"]
to the [[runners]] section.
On
The following steps worked in my environment. (Ubuntu)
Download certificate
I did not have access to the gitlab server. Therefore,
In gitlab-runner host
Rename the downloaded certificate with .crt
$ mv some-host-gitlab.com some-host-gitlab.com.crt
Register the runner now with this file
$ sudo gitlab-runner register --tls-ca-file /path/to/some-host-gitlab.com.crt
I was able to register runner to a project.
On
I ran into the same issue, in my case I had to generate SANs SSL certificate with the following commands (replace the vars with your specific environment) :
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=__country__/ST=__state_or_province__/L=__locality__/O=__organisation(s)__/CN=__common_name__" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout __domain_name__.key -subj "/C=__country__/ST=__state_or_province__/L=__locality__/O=__organisation(s)__/CN=__common_name__" -out __domain_name__.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:__domain_name_could__use_wildcard__") -days 365 -in __domain_name__.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out __domain_name__.crt
cheat sheet for certificate identifier properties : https://www.ibm.com/docs/en/ibm-mq/7.5?topic=certificates-distinguished-names
You might need to change some configurations in /etc/gitlab/gitlab.rb
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/__domain_name__.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/__domain_name__.key"
Think to reconfigure and restart you gitlab server after.
gitlab-ctl reconfigure
gitlab-ctl restart
You can check if your certificate have been correctely updated with the following command
openssl s_client -connect __domain_name__:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:
The output should be "DNS:domain_name"
Then I simply transfered the domain_name.crt file generated on the gitlab server to the gitlab runner into /etc/gitlab_runner/certs, like suggested by the response above
And that's it, after that I was able to register my runner.
Based on Wassim's answer, and gitlab documentation about tls-self-signed and custom CA-signed certificates, here's to save some time if you're not the admin of the gitlab server but just of the server with the runners (and if the runner is run as root):
Update 1:
CERTIFICATEmust be an absolute path to the certificate file.Update 2: it might still fail with custom CA-signed because of gitlab-runner bug #2675