Skip to content

Clone operation fails with "Peer certificate cannot be authenticated with known CA certificates" error

Summary after the investigation

Since gitlab-runner 10.6.0 we switched to go 1.9.4, as result of that upgrade client.getCAChain(tls *tils.ConnectionState) produces a PEM encoded certificate containing only some parts of the chain.

It's worth to note that we are not suffering this problem on gitlab.com, so it has to be tied to the server TLS configuration.

This problem isn't related to any particular executor.

Original report

Summary

I'm running GitLab 10.6 (from source) and gitlab-runner 10.6.0 (manual install). Ever since I upgraded to gitlab-runner 10.6.0, gitlab-runner fails to clone Git repositories.

By inspecting leftovers in (failed) build directory, I found the Git configuration file contains the following:

cat /home/gitlab-runner/builds/1a208ef7/0/sale/malscan.tmp/git-template/config

[fetch]
        recurseSubmodules = false
[http "https://gitlab.example"]
        sslCAInfo = /home/gitlab-runner/builds/XXXXXXXX/0/username/project.tmp/CI_SERVER_TLS_CA_FILE

Any by inspecting the sslCAInfo file (/home/gitlab-runner/builds/XXXXXXXX/0/username/project.tmp/CI_SERVER_TLS_CA_FILE), I found that this is actually SSL certificate of our GitLab instance in PEM format. Shouldn't this file contain CA certificate (in PEM format) instead?

As a temporary workaround, I disabled sslVerify for gitlab-runner user with git config --global http.sslVerify false command.

Steps to reproduce

Update gitlab-runner to version 10.6.0, register it as an shared runner with shell executor and run pipeline.

Actual behavior

Builds fail with the following error:

Running with gitlab-runner 10.6.0 (XXXXXXXX)
  on gitlab.example.com shell runner XXXXXXXX
Using Shell executor...
Running on gitlab.example.com...
Cloning repository...
Cloning into '/home/gitlab-runner/builds/XXXXXXXX/0/username/project'...
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.example.com/username/project.git/': Peer certificate cannot be authenticated with known CA certificates
ERROR Job failed: exit status 1

Expected behavior

Build should at least pass Git repo cloning phase.

Relevant logs and/or screenshots

N/A

Environment description

Here are the details about gitlab-runner in my case. Gitlab-runner is installed locally, on the same server as GitLab 10.6 community edition.

gitlab-runner is registered as an shared runner with shell executor.

Used GitLab Runner version

Version:      10.6.0
Git revision: a3543a27
Git branch:   10-6-stable
GO version:   go1.9.4
Built:        2018-03-22T08:34:11+00:00
OS/Arch:      linux/amd64
Edited by Alessio Caiazza