Gitlab Runner no access to private repository: HTTP Basic: Access denied

leaflot · February 21, 2023, 3:55pm

Hi everyone!

General

I’m using the Gitlab Omnibus CE Docker image as well as the official Gitlab runner image from Docker-Hub in order to setup a self-hosted solution for Gitlab pages.

The test-site is just a simple index.html together with the .gitlab-ci.yml file for CI:

image: node:current-alpine
pages:
  stage: deploy
  environment: production
  script:
    - mkdir .public
    - cp -r ./* .public
    - rm -rf public
    - mv .public public
  artifacts:
    paths:
      - public
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

Expected behaviour

When the repository is set to being publicly visible, everything works as expected: On every commit the Pipeline finishes successfully and the site is automatigically deployed with Gitlab Pages.

Issue

Unfortunately, as soon as the repository is set to private, the pipeline throws the following error in the deployment stage, no matter how often repeated:

Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/leaflot/tro/.git/
Created fresh repository.
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://git.domain.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'http://git.domain.com/leaflot/tro.git/'
Cleaning up project directory and file based variables 00:01
ERROR: Job failed: exit code 1

When setting up the Gitlab runner, after the Docker container got started, the only command I execute is gitlab-runner register.
This opens a prompt in which the Gitlab-server domain, a registration token and a description have to be entered.
On completion, the runner instance appears on the Gitlab site.

It seems this error is due to the runner not having the right permissions to access private repositories(?)
However I’m not sure if therefore any other token would be required, maybe inside the .gitlab-ci.yml?

Couldn’t find any other options exept the -t Runner token [$CI_SERVER_TOKEN] parameter for the register-command, which doesn’t seem right.

Any suggestions or ideas are highly appreciated/needed :/!

EDIT:

The ability to pass a runner registration token was deprecated in GitLab 15.6 and is planned for removal in 17.0, along with support for certain configuration arguments. This change is a breaking change. GitLab plans to introduce a new GitLab Runner token architecture, which introduces a new method for registering runners and eliminates the legacy runner registration token.

Could it have to do with this change?

brendts · March 27, 2023, 7:06pm

Did you perhaps have some form of LDAP or SSO authentication in place on Gitlab? I ran into an issue where our runner was trying to authenticate with LDAP/Kerberos under the hood which was failing. We thought it was an issue with the CI_JOB_TOKEN but that was not the issue.

quoc9x · April 22, 2023, 4:52am

I have the same problem.

I solved it by edit the config.toml and and add the clone_URL.

[[runners]]
url = “https://gitlab.example.com”
clone_url = “https://gitlab.example.com”

Hope useful to you!

leaflot · June 6, 2023, 4:38pm

Thanks a lot @quoc9x!
The “http://” in your logs or “https://” in your [[runners]] config accordingly catched my eye.
I recreated the Gitlab instance with SSL support on the main instance and the HTTP Basic Auth error disappeared. If you use HTTP Basic Auth over unencrypted HTTP strange errors might occur.

leaflot · June 6, 2023, 4:39pm

@brendts Actually there’s no SSO in place.
Cheers!