Registering Gitlab-Runner using Self signed cert

Hi,

currently I cannot register my Gitlab-Runner to my Gitlab Server on the local network due to the following error:

x509: certificate is not valid for any names, but wanted to match gitlab.local

Does anyone face the same issue?

Step to reproduce

Gitlab-runner documentation

Add the following line to /etc/hosts:

x.x.x.x gitlab.local

Get crt file from gitlab.local:

openssl s_client -showcerts -connect gitlab.local:443 -servername gitlab.local < /dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/gitlab-runner/certs/gitlab.local.crt

Register the runner using:

gitlab-runner register --tls-ca-file=/etc/gitlab-runner/certs/gitlab.local.crt

You have to replace the self-signed cert that GitLab installs with one that has a subject alt name field. Here’s a one-line recipe to make such a certificate on the machine hosting the GitLab instance:

openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout your-host.tld.key -out your-host.tld.crt -days 356 -subj “/C=CC/ST=State/L=City/O=Your Organization Name/OU=Your Department/CN=your-host.tld” -addext “subjectAltName = DNS:localhost,DNS:your-host.tld”

replace “your-host.tld” with your FQDN host name everywhere, CC with your country code (e.g., US), etc. to customize the fields to your case. Then install the certificate and key in place of the original ones on the GitLab server and restart it.

On the runner, you may need to copy the cert file over and add it to the trusted store. Write back if the docs are unclear on how to do this.

Hi @alansill,

Thank you for your answer. I have tried that command, however the field subjectAltName is not accepted due to

Duplicate extension: “subjectAltName

Do you have any ideas?

BR

I cannot see the different but this solution works for me:
https://raymii.org/s/tutorials/OpenSSL_generate_self_signed_cert_with_Subject_Alternative_name_oneliner.html

Some useful link:

It worked out of the box for me. What version of openssl and what OS are you using?