Gitlab runner Server certificate verification failed

BhupendraNegi · October 4, 2021, 11:31am

Does any one getting the problem with the SSL certificate after lets encrypt DST Root CA X3 Expiration (September 2021) - Let's Encrypt

I m facing this problem since 1st Oct

unable to access 'https://gitlab-ci-token:[MASKED]@domainname/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none`

I m using self-managed GitLab
- GitLab:
  version: 14.3.2
- Runner: (It runs on local machine using docker)
  version 14.3.0
CI configuration from .gitlab-ci.yml

image: ruby2.6(name is changed)
services:
  - redis:latest
stages:
  - code-quality
  - test

EsLint & Rubocop:
  stage: code-quality
  before_script:
    - ruby -v
    - nodejs -v
    - yarn install --frozen-lockfile --offline --check-files
    - git fetch origin master
  script:
    - yarn lint-changed

BugraTuncer · October 5, 2021, 8:56am

I’m facing the same issue. Is there any update ?

eric.dias1 · October 5, 2021, 3:30pm

Hello,

I have exactly the same issue.
On my side i have GitLab CE 13.12 hosted on Ubuntu Server 16.04.7 TLS.

The CI/CD pipelines was working before the 29/09/2021 (end of the DST Root CA X3 certificate).

I try different solutions to fix the error message, but all of this operations doesn’t work :

restarting the Ubuntu Server
reconfigure and restart GitLab service
checking SSL configuration in gitlab.rb OK (correct path .key and .pem/crt, and there is no fresh change)
using sudo update-ca-certificates to update certificates system
updating all the system and with OpenSSL fixes (version 1.0.2g)
trying to editing ca-certificates.crt
trying to change and disable certificate in ca-certificates.conf(with !mozilla/DST…)
trying to add ISRG_Root_X1.crt in /etc/gitlab/trusted-certs/ (regarding the documentation to trust root certificate)
trying to trust the gitlab certificate in the system /usr/local/share/ca-certificates/ + update-ca-certificates : 1 added (completing the last action)
trying to edit manually blocks in gitlab.customdomain.com.crt with the ISRG_Root_X1.crt
check broken package to update : 0
check systemctl failed process : 0
ufw rules : OK

The gitlab UI for browser is working correctly with HTTPS, and SSH, (curl OK and wget OK)
There only issue with GIT commands from random clients connecting on the GitLab URL

can you help us please ?
Thanks.
Best regards.

kadirtereci · October 5, 2021, 7:51pm

same problem +++

Korbinian · October 6, 2021, 2:39pm

I ran into the same problem. I updated my one year old docker-image (Ubuntu 20.04) I used for the build and that fixed it.

BhupendraNegi · October 7, 2021, 4:11am

Ya I fixed it… Its not the problem with the gitlab lab CA certificates.
Its the image which you are using in your gitlab CI/CD pipelines.
Just build the new image with updated certs.
sudo apt-get install --yes software-properties-common will update all the files as well as certificates.
if you just want to update the certificates
sudo update-ca-certificates

chinthaka_her · October 7, 2021, 3:35pm

did you do the change on config.toml, if so could you please provide the configuration?

reesezxf · October 12, 2021, 8:09am

sduo apt-get update
sudo apt-get install apt-transport-https ca-certificates -y 
sudo update-ca-certificates

this works for me.

danieltan95 · November 8, 2021, 2:18pm

sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates -y 
sudo update-ca-certificates

Works for me. My gitlab runner machines just randomly fail due to this…

Houssem12-ai · August 25, 2022, 11:07am

and have you solved it please ?
if yes can you tell us what you have done

Houssem12-ai · August 25, 2022, 11:09am

i have the same problem but with a little bit different error message
in my case i have :

server certificate verification failed. CAfile: none CRLfile: none

and not

CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

it seems that even the CAfile isn’t identified here in my case
does anyone have any suggestion ?

Khorsev · September 12, 2022, 10:31pm

Same problem

kk51399 · September 14, 2022, 11:20am

Hi,
i have solved the problem

i have checked the site with ssllabs and see that one ca is missing on the server.

i have put the ca`s in the cert file (under the cert)

gitlab-ctl reconfigure

reboot

lanadelrea · January 11, 2023, 9:07am

I’m having the same problem. Please share if you already know the solution. Thank you so much!

MasloMaslane · January 11, 2023, 10:33pm

Im too having the same problem. The CI worked a week ago, but now (maybe because of updating to 15.7.2?) I have the same error as everyone. update-ca-certificates doesn’t help:(

ottolini · January 27, 2023, 12:54pm

I solved it, in my case, changing the image from node:14.15.4 to `node:14.21.2"

GitLeandroHub · February 2, 2023, 4:52pm

Hey, Guys!

Just type this in the CLI (I mean, Ubuntu 20.04, that’s my case) :

For all repo

git config --global http.sslVerify "false"

For a single repo

git config http.sslVerify false

And this will enable you to “bypass” the certificate error.

AlbertoFelix · February 6, 2023, 6:15pm

Thank you, this resolved my problem too.

erickeller · September 13, 2023, 2:19pm

Had the same issue within an ubuntu:latest container where I installed git to end up in a similar server certificate verification failed. CAfile: none CRLfile: none error while trying to git pull.

I simply had to add the ca-certificates package to solve the issue.

marshray48 · September 15, 2023, 11:25am

I’m still getting the same issue. Any other way to resolve it?