How can I clone over ssh from gitlab-runner?

I am in the situation where my gitlab-runner cannot do a git clone https://path.to.repo.git because of a gnutls_handshake error. If I try this by hand I get the same behaviour. A manual git clone git@path.to.repo.git works without errors.

Is there a way to configure the gitlab-runner to also use the ssh path?

Sounds like you’re having some issues with SSL. Are you using a self-signed cert or anything? What is the exact error you’re seeing?

Why not a try of gnutls-cli -p 443 domain.com? Any errors printed?

@Mooash, @Frederick888
Thanks for thinking with me!

gnutls-cli -p 443 mydomain.com results in:

Resolving 'Resolving ‘mydomain.com’…
Connecting to ‘xxx.xxx.xxx.xx:443’…
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.

I am using a StartSSL certificate, SSLLab.com gives me almost full score.

The issue that bites me is https://confluence.atlassian.com/pages/viewpage.action?pageId=419005548 If I rebuild git using libcurl4-openssl-dev instead of libcurl4-gnutls-dev I can clone through https.

I am provisioning a VM with Ansible and instead of building git from source I thought it would be easier if I could persuade Gitlab CI to clone over ssh.

Can you post what your cipher suite is? I think if you tweak it a little you’ll get a result you’re expecting. You don’t need to rebuild libcurl, just tweak your suite a little.

My apache2/mods-available/ssl.conf contains:
SSLCipherSuite AES256+EECDH:!aNULL

SSLLabs.com reports these:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)                           
ECDH 256 bits (eq. 3072 bits RSA)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
ECDH 256 bits (eq. 3072 bits RSA)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
ECDH 256 bits (eq. 3072 bits RSA)
```

This plus various other settings leads to a 100/95/100/100 score on ssllabs.com.

Which suite do you think I would need to add?

I would try one of the recommended sipher suites from here.

You should still be able to get a great score on ssllabs.com but remember, getting 100% doesn’t matter if nothing works. :smile:

Thanks! I am travelling right now with very little internet access but will try to get this working soon.

The quick fix was to use Ubuntu 15.04 for my gitlab_runner instead of 14.04.

Now I revisited the issue and found that SSLCipherSuite AES256+EECDH:DHE-RSA-AES256-SHA:!aNULL works in my case (and yields the same SSLLabs score).

Thanks again for pointing me in the right direction.