stackoom
  简体   繁体   中英

gitlab-runner cannot clone due to expired root certificate

 原文  2020-05-30 17:53:57       git/ gitlab/ gitlab-ci/ gitlab-ci-runner

Question

I have this error while cloning on gitlab ci:

unable to access 'https://gitlab-ci-token:[secure]@git.mydomain.com/mydomain/api.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none.

My Root CA has expired today the 30th and thus must have been removed from my keychain.

I have upgraded my certificates (debian) and all seems fines except this error does not go away in my dockerized gitlab-runner .

How can I fix it?

2 answers

solution1
 1 ACCPTED  2020-05-30 19:03:43

This is a problem on the server side, and it needs to be fixed by replacing the chain of CA certificates.

Because Sectigo knew that this root certificate would expire soon, several years ago, they created a new root certificate and registered it with all the major browser vendors and OS manufacturers. However, because many older systems don't upgrade their certificates, this new root CA was signed by an older CA, a process called cross-signing . This allows people to use the new root for issuing certificates yet remain compatible with older systems.

Any systems on the Internet today can no longer handle the legacy root because it's now expired, so there's no benefit to using it anymore.

Some TLS libraries can figure out that a certificate chains to a trusted root and ignore the extra, expired root certificates, but some cannot. As a result, the fact that you have the old AddTrust External Root CA certificate in your certificate chain can break some of those TLS libraries, which is what's happening here.

Sectigo has documentation on this issue . You want to remove the AddTrust CA certificate and make sure that the UserTrust or COMODO root that you're using is self-signed. If you're using a Debian or Ubuntu system, you may be able to find the appropriate root certificate in /etc/ssl/certs .

Even better, you can just remove the root certificate altogether and only include intermediates, since the root certificate isn't actually needed when creating the TLS connection, since the client must already have it.

solution2
 1  2021-10-01 07:56:48

In debian 9, I resolved issue by removing below certificate.

sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
sudo update-ca-certificates

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question gitlab-runner pipeline failed clone with error port Why can't gitlab-runner clone my project? (Incorrect hostname, failed to connect) Gitlab Runner on local VM with Gitlab CE cannot clone repo gitlab-runner: reusing artifacts after merge Gitlab-runner change builds_dir gitlab-runner cant find git How to use Git command in GitLab-runner? Gitlab-runner deletes files on remote, despite .gitignore Does gitlab-runner or Docker cache the /builds Directory by Default? gitlab-runner: Add ssh key when executing locally
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM