Gitlab runner Server certificate verification failed

Does any one getting the problem with the SSL certificate after lets encrypt DST Root CA X3 Expiration (September 2021) - Let's Encrypt

I m facing this problem since 1st Oct

unable to access 'https://gitlab-ci-token:[MASKED]@domainname/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none`

Screenshot 2021-10-04 at 4.54.59 PM2230×335 95.1 KB

• I m using self-managed GitLab

  • GitLab:
    version: 14.3.2
  • Runner: (It runs on local machine using docker)
    version 14.3.0

• CI configuration from .gitlab-ci.yml

image: ruby2.6(name is changed)
services:
  - redis:latest
stages:
  - code-quality
  - test

EsLint & Rubocop:
  stage: code-quality
  before_script:
    - ruby -v
    - nodejs -v
    - yarn install --frozen-lockfile --offline --check-files
    - git fetch origin master
  script:
    - yarn lint-changed

I’m facing the same issue. Is there any update ?

Hello,

I have exactly the same issue.
On my side i have GitLab CE 13.12 hosted on Ubuntu Server 16.04.7 TLS.

The CI/CD pipelines was working before the 29/09/2021 (end of the DST Root CA X3 certificate).

I try different solutions to fix the error message, but all of this operations doesn’t work :

• restarting the Ubuntu Server
• reconfigure and restart GitLab service
• checking SSL configuration in gitlab.rb OK (correct path .key and .pem/crt, and there is no fresh change)
• using sudo update-ca-certificates to update certificates system
• updating all the system and with OpenSSL fixes (version 1.0.2g)
• trying to editing ca-certificates.crt
• trying to change and disable certificate in ca-certificates.conf(with !mozilla/DST…)
• trying to add ISRG_Root_X1.crt in /etc/gitlab/trusted-certs/ (regarding the documentation to trust root certificate)
• trying to trust the gitlab certificate in the system /usr/local/share/ca-certificates/ + update-ca-certificates : 1 added (completing the last action)
• trying to edit manually blocks in gitlab.customdomain.com.crt with the ISRG_Root_X1.crt
• check broken package to update : 0
• check systemctl failed process : 0
• ufw rules : OK

The gitlab UI for browser is working correctly with HTTPS, and SSH, (curl OK and wget OK)
There only issue with GIT commands from random clients connecting on the GitLab URL

can you help us please ?
Thanks.
Best regards.

same problem +++

I ran into the same problem. I updated my one year old docker-image (Ubuntu 20.04) I used for the build and that fixed it.

Ya I fixed it… Its not the problem with the gitlab lab CA certificates.
Its the image which you are using in your gitlab CI/CD pipelines.
Just build the new image with updated certs.
sudo apt-get install --yes software-properties-common will update all the files as well as certificates.
if you just want to update the certificates
sudo update-ca-certificates

did you do the change on config.toml, if so could you please provide the configuration?

sduo apt-get update
sudo apt-get install apt-transport-https ca-certificates -y 
sudo update-ca-certificates

this works for me.

sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates -y 
sudo update-ca-certificates

Works for me. My gitlab runner machines just randomly fail due to this…

and have you solved it please ?
if yes can you tell us what you have done

i have the same problem but with a little bit different error message
in my case i have :

server certificate verification failed. CAfile: none CRLfile: none

and not

CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

it seems that even the CAfile isn’t identified here in my case
does anyone have any suggestion ?

Same problem

Hi,
i have solved the problem

i have checked the site with ssllabs and see that one ca is missing on the server.

i have put the ca`s in the cert file (under the cert)

gitlab-ctl reconfigure

reboot

I’m having the same problem. Please share if you already know the solution. Thank you so much!

Im too having the same problem. The CI worked a week ago, but now (maybe because of updating to 15.7.2?) I have the same error as everyone. update-ca-certificates doesn’t help:(

I solved it, in my case, changing the image from node:14.15.4 to `node:14.21.2"

Hey, Guys!

Just type this in the CLI (I mean, Ubuntu 20.04, that’s my case) :

For all repo

git config --global http.sslVerify "false"

For a single repo

git config http.sslVerify false

And this will enable you to “bypass” the certificate error.

Thank you, this resolved my problem too.

Had the same issue within an ubuntu:latest container where I installed git to end up in a similar server certificate verification failed. CAfile: none CRLfile: none error while trying to git pull.

I simply had to add the ca-certificates package to solve the issue.

I’m still getting the same issue. Any other way to resolve it?