Geek Answers Handbook

Gitlab-CI leader: ignore self-signed certificate

gitlab-ci-multi-runner register

gave me

couldn't execute POST against https://xxxx/ci/api/v1/runners/register.json:
Post https://xxxx/ci/api/v1/runners/register.json: 
x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs

Is there a way to disable certification certification?

I am using Gitlab 8.13.1 and gitlab-ci-multi-runner 1.11.2.

+16
source share
6 answers

Based on Wassim's answer and gitlab documentation on self-signed and CA-signed certificates here, to save time if you are not a gitlab server administrator, but just a server with runners (and if the runner runs as root):

SERVER=gitlab.example.com
PORT=443
CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt

# Create the certificates hierarchy expected by gitlab
sudo mkdir -p $(dirname "$CERTIFICATE")

# Get the certificate in PEM format and store it
openssl s_client -connect ${SERVER}:${PORT} -showcerts </dev/null 2>/dev/null | sed -e '/-----BEGIN/,/-----END/!d' | sudo tee "$CERTIFICATE" >/dev/null

# Register your runner
gitlab-runner register --tls-ca-file="$CERTIFICATE" [your other options]

Update 1: The certificate must be an absolute path in the right place.

2: CA - gitlab-runner # 2675

+25

, .pem :

sudo gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem
+7

, http://moonlightbox.logdown.com/posts/2016/09/12/gitlab-ci-runner-register-x509-error, . , :

ssl GitLab ( )

vim /etc/pki/tls/openssl.cnf

[ v3_ca ]
subjectAltName=IP:192.168.1.1 <---- Add this line. 192.168.1.1 is your GitLab server IP.


cd /etc/gitlab/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/192.168.1.1.key -out /etc/gitlab/ssl/192.168.1.1.crt
sudo openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
sudo gitlab-ctl restart

GitLab CI

scp /etc/gitlab/ssl/192.168.1.1.crt root@192.168.1.2:/etc/gitlab-runner/certs

@Moon Light @Wassim Dhif

+6

ssl.

GitLab .

, PEM runner --tls-ca-file

PEM openssl.
openssl x509 -in mycert.crt -out mycert.pem -outform PEM

+4

. , IP/Name, , IP/Name, .

gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem

, config.toml runners ( [runners.docker]): extra_hosts = ["git.domain.com:192.168.99.100"] . https://gitlab.com/gitlab-org/gitlab-runner/issues/2209

, , gitlab/gitlab-runner config.toml, , gitlab-host (( [runners.docker]):  network_mode="host"

, SSL-Cert (https://gitlab.com/gitlab-org/gitlab-runner/issues/2659). environment = ["GIT_SSL_NO_VERIFY=true"] [[]].

+4

. (Ubuntu)


gitlab. ,

  1. https://some-host-gitlab.com ( Chrome).
  2. View site information, usually a green padlock in the URL bar.
  3. Download / export the certificate by going to the certificate information (chrome, Firefox has this option)

The gitlab runner

  1. Rename the uploaded certificate with .crt

    $ mv some-host-gitlab.com some-host-gitlab.com.crt

  2. Register a runner now with this file

    $ sudo gitlab-runner register --tls-ca-file/path/to/some-host-gitlab.com.crt

I was able to register the runner in the project.

+2
source

More articles:


All Articles