Docker runner not importing ssl from host

qubusp · January 24, 2018, 12:57pm

Hello I’m getting this error

Running with gitlab-runner 10.4.0 (857480b6)
  on mobile-stuff (5c700787)
Using Docker executor with image kube-registry.int.company.com/mobile/imago ...
Using docker image sha256:48d7b0d488628f733b2b102fddd70d538ce692370209dbf1c7d941e8eed544f9 for predefined container...
Pulling docker image kube-registry.int.company.com/mobile/imago ...
Using docker image kube-registry.int.company.com/mobile/imago ID=sha256:f362c74e22272151088e01ec0b5994bb1c45afac7e3890cd677c0ee6c28a7985 for build container...
Running on runner-5c700787-project-15-concurrent-0 via mobile-prod-brq-001.s.company.com...
Cloning repository...
Cloning into '/builds/testing/certification-appium'...
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@git.int.company.com/testing/certification-appium.git/': SSL certificate problem: unable to get local issuer certificate
ERROR: Job failed: exit code 1

My config. toml looks like that:

[[runners]]
  name = "mobile-stuff"
  url = "https://git.int.company.com/"
  token = "5c700787e9e619c0d06f4a3140ec09"
  executor = "docker"
  [runners.docker]
    tls_verify = true
    tls-ca-file = "/etc/pki/tls/certs/ca-bundle.crt"
    image = "kube-registry.int.company.com/mobile/imago"
    privileged = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]

Please advise. The runners work under shell executor, but under docker they don’t.

Host OS: Centos &
Docker: 17.12.0-ce, build c97c6d6
Version: 10.4.0
Git revision: 857480b6
Git branch: 10-4-stable
GO version: go1.8.5
Built: Mon, 22 Jan 2018 09:47:33 +0000
OS/Arch: linux/amd64

MeachamusPrime · March 29, 2018, 2:27pm

I’m seeing the same issue. Figured it out, yet?

I’ll come back and leave something if I figure it out.

MeachamusPrime · April 13, 2018, 4:18pm

I was able to workaround this issue by adding the troublesome certificate to my trusted store in CentOS 7. If you are using a non-redhat based OS, you’re process will be different. I would discourage this process unless you eminently trust the server host and owner.

$ sudo -i
# openssl s_client -connect gitlab.example.com:443 <<<‘’ | openssl x509 -out /etc/pki/ca-trust/source/anchors/gitlab.example.com.crt
# update-ca-trust enable
# update-ca-trust extract
# chmod u+w $(readlink /etc/pki/tls/certs/ca-bundle.crt)
# echo >> $(readlink /etc/pki/tls/certs/ca-bundle.crt)
# echo “# gitlab.example.com” >> $(readlink /etc/pki/tls/certs/ca-bundle.crt)
# cat /etc/pki/ca-trust/source/anchors/gitlab.example.com.crt >> $(readlink /etc/pki/tls/certs/ca-bundle.crt)
# chmod u-w $(readlink /etc/pki/tls/certs/ca-bundle.crt)
# systemctl restart gitlab-runner
# systemctl restart docker
# exit

Hope it helps.

Topic		Replies	Views
Docker runner fails with SSL certificate problem: unable to get local issuer certificate GitLab CI/CD	3	2923	February 19, 2024
GitLab Runner cannot clone, unable to get issuer certificate Infrastructure as Code & Cloud Native ci , runner , kubernetes , ssl	2	10184	December 14, 2023
SSL certificate problem: unable to get issuer certificate with docker GitLab CI/CD runner , docker	1	1438	December 14, 2019
Gitlab Runner SSL certificate problem: unable to get local issuer certificate GitLab CI/CD ci , runner	7	8567	December 14, 2023
Certificate issue with gitlab runner cloning repository GitLab CI/CD runner , maven , ssl	5	13369	December 20, 2018

Docker runner not importing ssl from host

Related topics