How to setup Docker executor with SSL? (SSL certificate problem: unable to get issuer certificate)
Hi all,
I'm having issues with setting up Docker executor with SSL. I've tried everything and I was looked everywhere for a tutorial on how to do this but no luck. I've seen several threads here around similar issues but I had no luck finding answers.
I'm getting this error:
Running with gitlab-ci-multi-runner 1.7.1 (f896af7)
Using Docker executor with image node:6.9.1 ...
Pulling docker image postgres:latest ...
Starting service postgres:latest ...
Waiting for services to be up and running...
Pulling docker image node:6.9.1 ...
Running on runner-46c04447-project-1-concurrent-0 via gitlab-acme.com...
Fetching changes...
HEAD is now at b4a333a Update .gitlab-ci.yml
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab-acme.com/root/demo.git/': SSL certificate problem: unable to get issuer certificate
ERROR: Build failed: exit code 1It only works when I set GIT_SSL_NO_VERIFY: "true" in variables section but that defies the whole purpose of having SSL. Not to mention that I'm greeted around the corner with another SSL error from npm.
Here is my .gitlab-ci.yml:
image: node:6.9.1
cache:
paths:
- node_modules/
variables:
PG_PORT: test
PG_DB: test
PG_USER: test
PG_PASS: test
services:
- postgres:latest
all_tests:
script:
- npm install
- npm testI've installed omnibus gitlab on 16.04.1 with following directory structure:
/etc/gitlab/
gitlab.rb
gitlab-secrets.json
trusted-certs/
ssl/
gitlab-acme.com.crt
gitlab-acme.com.key
/etc/gitlab-runner/
config.toml
certs/
gitlab-acme.com.crt -> ../../gitlab/ssl/gitlab-acme.com.crtMy SSL certs are not self-signed and they're properly arranged:
cat gitlab-acme.com.crt DigiCertCA.crt > /etc/gitlab/ssl/gitlab-acme.com.crtMy config.toml looks like this:
concurrent = 1
check_interval = 0
[[runners]]
name = "gitlab-acme"
url = "https://gitlab-acme.com/"
token = "46c04447901a19f75f5b9f0d5647f4"
executor = "docker"
[runners.docker]
tls_verify = false
image = "node:6.9.1"
tls_cert_path = "/etc/gitlab-runner/certs"
privileged = false
disable_cache = false
volumes = ["/cache"]
extra_hosts = ["gitlab-acme.com:192.168.1.105"]
[runners.cache]Here is the output from gitlab-runner --debug run:
Checking for builds... received build=22 repo_url=https://gitlab-acme.com/root/demo.git runner=46c04447
Failed to requeue the runner: builds=1 runner=46c04447
Running with gitlab-ci-multi-runner 1.7.1 (f896af7) build=22 project=1 runner=46c04447
Shell configuration: environment: []
dockercommand:
- sh
- -c
- "if [ -x /usr/local/bin/bash ]; then
\texec /usr/local/bin/bash
elif [ -x /usr/bin/bash
]; then
\texec /usr/bin/bash
elif [ -x /bin/bash ]; then
\texec /bin/bash
elif
[ -x /usr/local/bin/sh ]; then
\texec /usr/local/bin/sh
elif [ -x /usr/bin/sh
]; then
\texec /usr/bin/sh
elif [ -x /bin/sh ]; then
\texec /bin/sh
else
\techo
shell not found
\texit 1
fi
"
command: bash
arguments: []
passfile: false
extension: ""
build=22 project=1 runner=46c04447
Using Docker executor with image node:6.9.1 ... build=22 project=1 runner=46c04447
Applying docker.Client transport fix: &{false 0xc4202f7470 <nil> 0xc420342460 unix:///var/run/docker.sock 0xc42022c380 0xc42032c960 [1 18] [] [] <nil>} host=unix:///var/run/docker.sock
Creating build volume... build=22 project=1 runner=46c04447
Using container 6d0ec4aa2caa33377aa31d943e60ce1f63cd5dd582ed33064651bd211d6c6967 as cache /builds/root ... build=22 project=1 runner=46c04447
Creating services... build=22 project=1 runner=46c04447
Looking for image postgres:latest ... build=22 project=1 runner=46c04447
Pulling docker image postgres:latest ... build=22 project=1 runner=46c04447
Removed container runner-46c04447-project-1-concurrent-0-postgres with No such container: runner-46c04447-project-1-concurrent-0-postgres build=22 project=1 runner=46c04447
Starting service postgres:latest ... build=22 project=1 runner=46c04447
Creating service container runner-46c04447-project-1-concurrent-0-postgres ... build=22 project=1 runner=46c04447
Starting service container 75298975e75a7c5a1958b3b85ee9d220b29b90474b8c3e37560ad887480fa70b ... build=22 project=1 runner=46c04447
Created service postgres:latest as 75298975e75a7c5a1958b3b85ee9d220b29b90474b8c3e37560ad887480fa70b build=22 project=1 runner=46c04447
Waiting for services to be up and running... build=22 project=1 runner=46c04447
Looking for prebuilt image gitlab-runner-prebuilt-x86_64:f896af7 ... build=22 project=1 runner=46c04447
Waiting for service container runner-46c04447-project-1-concurrent-0-postgres to be up and running... build=22 project=1 runner=46c04447
Feeding runners to channel builds=1
Submitting build to coordinator... ok build=22 runner=46c04447
Appending trace to coordinator... ok build=22 build-log=0-273 build-status=running code=202 runner=46c04447 sent-log=0-273 status=202 Accepted
Removed container e7b012e34d2721766fdf309932ea923f6a6b3b17ca2d421a14e391d07a357b7f with <nil> build=22 project=1 runner=46c04447
Creating user-defined volumes... build=22 project=1 runner=46c04447
Using container bb6b82dd4366570fba69bd051dcb012776e6e78a9c65066b5b940aa1f6bd666f as cache /cache ... build=22 project=1 runner=46c04447
Starting Docker command... build=22 project=1 runner=46c04447
Looking for prebuilt image gitlab-runner-prebuilt-x86_64:f896af7 ... build=22 project=1 runner=46c04447
Looking for image sha256:2d4f56260a05a2169dbb7cd06afe43df1a6b314115d12c1ccefa7b78a237f97c ... build=22 project=1 runner=46c04447
Removed container runner-46c04447-project-1-concurrent-0-predefined with No such container: runner-46c04447-project-1-concurrent-0-predefined build=22 project=1 runner=46c04447
Creating container runner-46c04447-project-1-concurrent-0-predefined ... build=22 project=1 runner=46c04447
Looking for image node:6.9.1 ... build=22 project=1 runner=46c04447
Pulling docker image node:6.9.1 ... build=22 project=1 runner=46c04447
Removed container runner-46c04447-project-1-concurrent-0-build with No such container: runner-46c04447-project-1-concurrent-0-build build=22 project=1 runner=46c04447
Creating container runner-46c04447-project-1-concurrent-0-build ... build=22 project=1 runner=46c04447
Waiting for signals... build=22 project=1 runner=46c04447
Executing on runner-46c04447-project-1-concurrent-0-predefined the set -eo pipefail
set +o noclobber
: | eval $'echo "Running on $(hostname) via gitlab-acme..."
export CI=$\'true\'
export CI_DEBUG_TRACE=$\'false\'
export CI_BUILD_REF=$\'2f6696ef197f3a667b6be3c5bdcc4d859a237252\'
export CI_BUILD_BEFORE_SHA=$\'2f6696ef197f3a667b6be3c5bdcc4d859a237252\'
export CI_BUILD_REF_NAME=$\'develop\'
export CI_BUILD_ID=22
export CI_BUILD_REPO=$\'https://gitlab-ci-token:9fpzFFrRf_T5qzNPMD9W@gitlab-acme.com/root/demo.git\'
export CI_BUILD_TOKEN=$\'9fpzFFrRf_T5qzNPMD9W\'
export CI_PROJECT_ID=1
export CI_PROJECT_DIR=$\'/builds/root/demo\'
export CI_SERVER=$\'yes\'
export CI_SERVER_NAME=$\'GitLab CI\'
export CI_SERVER_VERSION=\'\'
export CI_SERVER_REVISION=\'\'
export GITLAB_CI=$\'true\'
export CI=$\'true\'
export GITLAB_CI=$\'true\'
export CI_BUILD_ID=22
export CI_BUILD_TOKEN=$\'9fpzFFrRf_T5qzNPMD9W\'
export CI_BUILD_REF=$\'2f6696ef197f3a667b6be3c5bdcc4d859a237252\'
export CI_BUILD_BEFORE_SHA=$\'2f6696ef197f3a667b6be3c5bdcc4d859a237252\'
export CI_BUILD_REF_NAME=$\'develop\'
export CI_BUILD_NAME=$\'all_tests\'
export CI_BUILD_STAGE=$\'test\'
export CI_SERVER_NAME=$\'GitLab\'
export CI_SERVER_VERSION=8.13.6
export CI_SERVER_REVISION=$\'69cda01\'
export CI_PROJECT_ID=1
export CI_PROJECT_NAME=$\'demo\'
export CI_PROJECT_PATH=$\'root/demo\'
export CI_PROJECT_NAMESPACE=$\'root\'
export CI_PROJECT_URL=$\'https://gitlab-acme.com/root/demo\'
export CI_PIPELINE_ID=10
export CI_RUNNER_ID=1
export CI_RUNNER_DESCRIPTION=$\'gitlab-acme\'
export CI_RUNNER_TAGS=$\'test\'
export PG_PORT=$\'test\'
export PG_DB=$\'test\'
export PG_USER=$\'test\'
export PG_PASS=$\'test\'
export GITLAB_USER_ID=1
export GITLAB_USER_EMAIL=$\'admin@example.com\'
mkdir -p "/builds/root/demo.tmp"
echo -n $\'-----BEGIN CERTIFICATE-----\\r\
<SERVER CERT>
-----END CERTIFICATE-----\\r\
-----BEGIN CERTIFICATE-----\\r\
<DIGI CERT>
-----END CERTIFICATE-----\\r\
\' > "/builds/root/demo.tmp/GIT_SSL_CAINFO"
export GIT_SSL_CAINFO="/builds/root/demo.tmp/GIT_SSL_CAINFO"
mkdir -p "/builds/root/demo.tmp"
echo -n $\'-----BEGIN CERTIFICATE-----\\r\
<SERVER CERT>
-----END CERTIFICATE-----\\r\
-----BEGIN CERTIFICATE-----\\r\
<DIGI CERT>
-----END CERTIFICATE-----\\r\
\' > "/builds/root/demo.tmp/CI_SERVER_TLS_CA_FILE"
export CI_SERVER_TLS_CA_FILE="/builds/root/demo.tmp/CI_SERVER_TLS_CA_FILE"
if [[ -d "/builds/root/demo/.git" ]]; then
echo $\'\\x1b[32;1mFetching changes...\\x1b[0;m\'
$\'cd\' "/builds/root/demo"
$\'git\' "config" "fetch.recurseSubmodules" "false"
$\'rm\' "-f" ".git/index.lock"
$\'git\' "clean" "-ffdx"
$\'git\' "reset" "--hard"
$\'git\' "remote" "set-url" "origin" "https://gitlab-ci-token:9fpzFFrRf_T5qzNPMD9W@gitlab-acme.com/root/demo.git"
$\'git\' "fetch" "origin" "--prune" "+refs/heads/*:refs/remotes/origin/*" "+refs/tags/*:refs/tags/*"
else
$\'mkdir\' "-p" "/builds/root/demo.tmp/git-template"
$\'rm\' "-r" "-f" "/builds/root/demo"
$\'git\' "config" "-f" "/builds/root/demo.tmp/git-template/config" "fetch.recurseSubmodules" "false"
echo $\'\\x1b[32;1mCloning repository...\\x1b[0;m\'
$\'git\' "clone" "--no-checkout" "https://gitlab-ci-token:9fpzFFrRf_T5qzNPMD9W@gitlab-acme.com/root/demo.git" "/builds/root/demo" "--template" "/builds/root/demo.tmp/git-template"
$\'cd\' "/builds/root/demo"
fi
echo $\'\\x1b[32;1mChecking out 2f6696ef as develop...\\x1b[0;m\'
$\'git\' "checkout" "-f" "-q" "2f6696ef197f3a667b6be3c5bdcc4d859a237252"
if $\'/usr/bin/gitlab-runner-helper\' "--version" >/dev/null 2>/dev/null; then
echo $\'\\x1b[32;1mChecking cache for all_tests/develop...\\x1b[0;m\'
if $\'/usr/bin/gitlab-runner-helper\' "cache-extractor" "--file" "../../../cache/root/demo/all_tests/develop/cache.zip" >/dev/null 2>/dev/null; then
echo $\'\\x1b[32;1mSuccessfully extracted cache\\x1b[0;m\'
else
echo $\'\\x1b[0;33mFailed to extract cache\\x1b[0;m\'
fi
else
echo $\'\\x1b[0;33mMissing /usr/bin/gitlab-runner-helper. Extracting cache is disabled.\\x1b[0;m\'
fi
'
build=22 project=1 runner=46c04447
Starting container 512e5b4d57542f742497f1607a87b304815467c23961ac33135dfa6a2a80a43a ... build=22 project=1 runner=46c04447
Appending trace to coordinator... ok build=22 build-log=0-318 build-status=running code=202 runner=46c04447 sent-log=273-318 status=202 Accepted
Attaching to container 512e5b4d57542f742497f1607a87b304815467c23961ac33135dfa6a2a80a43a ... build=22 project=1 runner=46c04447
Waiting for container 512e5b4d57542f742497f1607a87b304815467c23961ac33135dfa6a2a80a43a ... build=22 project=1 runner=46c04447
Container 512e5b4d57542f742497f1607a87b304815467c23961ac33135dfa6a2a80a43a finished with exit code 1 build=22 project=1 runner=46c04447
WARNING: Build failed: exit code 1 build=22 project=1 runner=46c04447
Submitting build to coordinator... ok build=22 runner=46c04447
Removed container aa59431556326110fc7b5f927d22135810d4e6b28c4b4724fe1fffe4fae77b2b with <nil> build=22 project=1 runner=46c04447
Removed container 512e5b4d57542f742497f1607a87b304815467c23961ac33135dfa6a2a80a43a with <nil> build=22 project=1 runner=46c04447
Removed container 75298975e75a7c5a1958b3b85ee9d220b29b90474b8c3e37560ad887480fa70b with <nil> build=22 project=1 runner=46c04447
Closed all idle connections for docker.Client: &{false 0xc4202f7560 <nil> 0x2f798a0 unix:///var/run/docker.sock 0xc42022c380 0xc42032c960 [1 18] [1 24] [1 18] 0xc4202f7590}
Checking for builds... nothing runner=46c04447
Feeding runners to channel builds=0
Checking for builds... nothing runner=46c04447
Feeding runners to channel builds=0Is there a good guide on how to setup Docker executors with SSL in docs? I couldn't find one. Any help is more than welcome since I'm running out of ideas.
Thanks!