gitlab-runner 15.5.0 on macOS fails to clone repository: error setting certificate verify locations: CAfile...
Summary
After updating gitlab-runner vom 15.4.0 to 15.5.0, repository cloning starts failing.
Steps to reproduce
Start any job with gitlab-runner 15.5.0 on macOS. Our kubernetes runners with 15.5.0 have no problems.
In our particular case it's a self-hosted gitlab 15.5.0 with a valid certificate provided by cloudflare. The certificate is valid for any prior gitlab-runner version as well as for curl, Safari etc.
Actual behavior
Errors appear: Reinitialized existing Git repository in /Users/ci/builds/nQMt-qB3/0/app/app/.git/ fatal: unable to access 'https://gitlab.mycompany.net/app/app.git/': error setting certificate verify locations: CAfile: /Users/ci/builds/nQMt-qB3/0/app/app.tmp/CI_SERVER_TLS_CA_FILE CApath: none
Expected behavior
Cloning works.
Relevant logs and/or screenshots
job log
Running with gitlab-runner 15.5.0 (0d4137b8)
on CI MacMini M1 Augsburg nQMt-qB3
Preparing the "shell" executor
00:00
Using Shell executor...
Preparing environment
00:00
Running on CI-MacMini-M1-Augsburg...
Getting source from Git repository
00:00
Fetching changes with git depth set to 20...
Reinitialized existing Git repository in /Users/ci/builds/nQMt-qB3/0/app/app/.git/
fatal: unable to access 'https://gitlab.mycompany.net/app/app.git/': error setting certificate verify locations: CAfile: /Users/ci/builds/nQMt-qB3/0/app/app.tmp/CI_SERVER_TLS_CA_FILE CApath: none
Environment description
macOS 12.6.1 amd64 and arm64 platforms (3 runners in total)
config.toml contents
concurrent = 2
check_interval = 0
sentry_dsn = "https://censored"
[session_server]
session_timeout = 1800
[[runners]]
name = "CI MacMini M1 Augsburg"
url = "https://gitlab.mycompany.net/"
token = "censored"
executor = "shell"
[runners.custom_build_dir]
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
[runners.cache.azure]
Used GitLab Runner version
Version: 15.5.0
Git revision: 0d4137b8
Git branch: 15-5-stable
GO version: go1.19.2
Built: 2022-10-20T22:46:35+00:00
OS/Arch: darwin/arm64
Possible fixes
-
Fall back to gitlab-runner 15.4.0 or 15.3.0
-
Upgrade to 15.5.1 and add
FF_RESOLVE_FULL_TLS_CHAIN = false
to your config:
[[runners]]
name = "ruby-2.7-docker"
url = "https://CI/"
token = "TOKEN"
executor = "docker"
[runners.feature_flags]
FF_RESOLVE_FULL_TLS_CHAIN = false