Gitlab Runner doesn't have access to update submodules

Summary

When CI pipeline is triggered by a push, the Gitlab Runner correctly pulls the main project but submodule update fails with status code 400.

This used to work before upgrading to Gitlab 10.1.1. Previous version used was 10.X.X.

Steps to reproduce

Have a main project with multiple Git submodules. Each submodule corresponds to a Gitlab project
Use GIT_SUBMODULE_STRATEGY: recursive in .gitlab-ci.yml
Create runner with gitlab-runner register --tls-cert-file /etc/gitlab-runner/certs/my_cert.crt --tls-key-file /etc/gitlab-runner/certs/my_key.key
Push a commit in the main project as a user that has access to all projects

Actual behavior

Main project gets updated to the latest commit but submodule update fails with the error fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@my.custom-domain.com/group/project.git/': The requested URL returned error: 400.

Same behaviour after:

Restarting server
Creating a new runner
Replacing GIT_SUBMODULE_STRATEGY with - git submodule sync --recursive and - git submodule update --init --recursive in .gitlab-ci.yml

Expected behavior

All submodules get updated and build starts. This was the behaviour before upgrading Gitlab.

Relevant logs and/or screenshots

Running with gitlab-runner 10.1.0 (c1ecf97f)
  on runner-name (02d24829)
Using Shell executor...
Running on xxxxx...
Fetching changes...
HEAD is now at 66050b5 Commit message
From https://my.custom-domain.com/group/project
   66050b5..bfd4d4a  master     -> origin/master
Checking out bfd4d4a1 as master...
Updating/initializing submodules recursively...
Synchronizing submodule url for 'submodule1'
Synchronizing submodule url for 'submodule2'
Synchronizing submodule url for 'submodule3'
Synchronizing submodule url for 'submodule4'
Synchronizing submodule url for 'submodule5'
Synchronizing submodule url for 'submodule6'
Synchronizing submodule url for 'submodule6/submodule1'
Synchronizing submodule url for 'submodule6/submodule2'
Synchronizing submodule url for 'submodule6/submodule3'
Synchronizing submodule url for 'submodule7'
Synchronizing submodule url for 'submodule8'
Synchronizing submodule url for 'submodule9'
Synchronizing submodule url for 'submodule10'
Synchronizing submodule url for 'submodule11'
Synchronizing submodule url for 'submodule11'
Synchronizing submodule url for 'submodule12'
Synchronizing submodule url for 'submodule13'
Synchronizing submodule url for 'submodule13/submodule1'
Synchronizing submodule url for 'submodule13/submodule2'
Synchronizing submodule url for 'submodule14'
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@my.custom-domain.com/group/submodule10.git/': The requested URL returned error: 400
Unable to fetch in submodule path 'submodule10'
ERROR: Job failed: exit status 1

Environment description

User pushing the change has access to all projects
The Runner has Protected and Lock to current projects (main project) enabled
Runner TLS certificate and key are used
Shell executor is used

Used GitLab Runner version

Version:      10.1.0
Git revision: c1ecf97f
Git branch:   10-1-stable
GO version:   go1.8.3
Built:        Sat, 21 Oct 2017 21:33:24 +0000
OS/Arch:      linux/amd64

Edited Nov 08, 2017 by Stefan