Gitlab runner Server certificate verification failed

Does any one getting the problem with the SSL certificate after lets encrypt DST Root CA X3 Expiration (September 2021) - Let's Encrypt

I m facing this problem since 1st Oct

unable to access 'https://gitlab-ci-token:[MASKED]@domainname/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none`

  • I m using self-managed GitLab

    • GitLab:
      version: 14.3.2
    • Runner: (It runs on local machine using docker)
      version 14.3.0
  • CI configuration from .gitlab-ci.yml

image: ruby2.6(name is changed)
services:
  - redis:latest
stages:
  - code-quality
  - test

EsLint & Rubocop:
  stage: code-quality
  before_script:
    - ruby -v
    - nodejs -v
    - yarn install --frozen-lockfile --offline --check-files
    - git fetch origin master
  script:
    - yarn lint-changed
4 Likes

I’m facing the same issue. Is there any update ?

Hello,

I have exactly the same issue.
On my side i have GitLab CE 13.12 hosted on Ubuntu Server 16.04.7 TLS.

The CI/CD pipelines was working before the 29/09/2021 (end of the DST Root CA X3 certificate).

I try different solutions to fix the error message, but all of this operations doesn’t work :

  • restarting the Ubuntu Server
  • reconfigure and restart GitLab service
  • checking SSL configuration in gitlab.rb OK (correct path .key and .pem/crt, and there is no fresh change)
  • using sudo update-ca-certificates to update certificates system
  • updating all the system and with OpenSSL fixes (version 1.0.2g)
  • trying to editing ca-certificates.crt
  • trying to change and disable certificate in ca-certificates.conf(with !mozilla/DST…)
  • trying to add ISRG_Root_X1.crt in /etc/gitlab/trusted-certs/ (regarding the documentation to trust root certificate)
  • trying to trust the gitlab certificate in the system /usr/local/share/ca-certificates/ + update-ca-certificates : 1 added (completing the last action)
  • trying to edit manually blocks in gitlab.customdomain.com.crt with the ISRG_Root_X1.crt
  • check broken package to update : 0
  • check systemctl failed process : 0
  • ufw rules : OK

The gitlab UI for browser is working correctly with HTTPS, and SSH, (curl OK and wget OK)
There only issue with GIT commands from random clients connecting on the GitLab URL

can you help us please ?
Thanks.
Best regards.

same problem +++

I ran into the same problem. I updated my one year old docker-image (Ubuntu 20.04) I used for the build and that fixed it.

Ya I fixed it… Its not the problem with the gitlab lab CA certificates.
Its the image which you are using in your gitlab CI/CD pipelines.
Just build the new image with updated certs.
sudo apt-get install --yes software-properties-common will update all the files as well as certificates.
if you just want to update the certificates
sudo update-ca-certificates

did you do the change on config.toml, if so could you please provide the configuration?

sduo apt-get update
sudo apt-get install apt-transport-https ca-certificates -y 
sudo update-ca-certificates

this works for me.

2 Likes