Pipeline Failing to Clone over HTTPS

I added a new runner for my corporate Gitlab instance. We’re using Gitlab 14.7.5-EE and the runner is on Rocky Linux 8. After adding the running I updated a pipeline to use it but on the first stage it immediately fails with an error. I logged into the runner and tried to clone over https and immediately received the same error:

fatal: unable to access '<server URL>': SSL certificate problem: EE certificate key too weak

This is a privately hosted Gitlab instance on our corporate network. I’m assuming on the server we would need to use a key that’s 1024bits or better, but in the meantime, what can I do to the runner to have it work?

The solution is to use secure TLS certificates.

This message comes from OpenSSL within the Rocky Linux 8 and while it is probably possible to lower the OpenSSL Security Level I definitely do not recommend to do it. However, playing around OpenSSL config in openssl.cnf might resolve it.

I fixed it and so I’ll write what I did here for future reference:

While looking at /etc/pki/tls/openssl.cnf on the server and comparing it to our CentOS 7 runner I noticed at the beginning it had the following at the beginning:

# Load default TLS policy configuration
openssl_conf = default_modules

[ default_modules ]
ssl_conf = ssl_module

[ ssl_module ]
system_default = crypto_policy

[ crypto_policy ]
.include /etc/crypto-policies/back-ends/opensslcnf.config

I looked at /etc/crypto-policies/back-ends/opensslcnf.config to see what ciphers were enabled. Instead of editing this file I used the following command to check the security policy:

# update-crypto-policies --show
FUTURE

So I updated the policy and rebooted the server:

update-crypto-policies --set DEFAULT
reboot

Now I can clone over https just fine.