Upgraded to 17.0.2 CE on-premise : my runners fail to authenticate (HTTP Basic: Access denied.)

How to Use GitLab Self-managed
1

Problem to solve

Hello,
I just upgraded my on-premise Gitlab CE instance to 17.0.2 CE. This is a Docker running installation.
Everything works fine except my runners.
They now cannot authenticate on my private package registry. During my CI jobs, composer install fails with error remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password.

Here is the output:

Failed to execute git clone --mirror -- 'https://mygitlab.mydomain.com/libs/composablefile.git' '/root/.cache/composer/vcs/https---mygitlab.mydomain.com-libs-composablefile.git/'                                                         
                                                                               
Cloning into bare repository '/root/.cache/composer/vcs/https---mygitlab.mydomain.com-libs-composablefile.git'...                                           
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://mygitlab.mydomain.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied                  
fatal: Authentication failed for 'https://mygitlab.mydomain.com/libs/composablefile.git/'

2FA is not enforced in my instance settings.

Steps to reproduce

If I try composer install with my account and my personal access token, it works. My private dependencies are fetched correctly from my private registry. So I can say the private registry works well.

I tried to reset all my runners tokens. But auth still fails.

I also tried to recreate my runners since I noticed that the runners token architecture changed recently. But it still fails.

I also tried to add clone_url in my runners TOML config. But it still fails.

I pulled the latest gitlab/gitlab-runner:alpine image, recreated the container, cleared the runner cache from the UI. But it still fails.

Versions

  • Self-managed - GitLab 17.0.2 CE (Docker)

Thanks for your help.

2

Could be due to the fact that tokens in Gitlab now expire and they cannot have an expiry longer than 1 year. If you had tokens created in an earlier version of Gitlab that didn’t have an expiry date, they were then forced to have a 1 year expiry. Check your personal access tokens, project tokens etc and generate new ones so that your CI jobs can run again.

3

Hello,
ok, I found the solution.

I did not mention that I ran a long upgrade path from Gitlab 13… :blush:
And it seems that, in Gitlab 13, runners did not need to register an access token to have access to Composer private repositories.

But now, they need it.

So, I just added composer config gitlab-token.mygitlab.mydomain.com $CI_JOB_TOKEN in my .gitlab-ci.yml just before composer install.

2 Likes