CI URL used instead of clone URL when setting git TLS configuration

Summary

When the GitLab CI server is reachable on different a URL than the git repositories are, GitLab Runner sets the wrong git variables for configuring the TLS certificate(s) to use. Instead of the URL of the git repository (clone_url in config.toml) it uses the one of the GitLab CI server (url in config.toml). This causes TLS verification to fail.

After a quick peek into abstract.go:writeGitSSLConfig() my guess would be that it needs to use build.GetRemoteURL() (like writeCloneCmd() does) to derive host instead of using build.Runner.URL as it currently does.

Steps to reproduce

  1. Set up a GitLab server providing the CI server on a different port than the git repositories and using a TLS certificate signed by an internal CA.
  2. Set up a host for GitLab runner with the internal CA in the system-default certificate store.
  3. Set up GitLab Runner, providing matching --url and --clone-url values.
  4. Try to clone a project without setting GIT_SSL_NO_VERIFY: "true" in .gitlab-ci.yml. Use CI_DEBUG_TRACE: "true" to see what's going on.

In the example output below http://gitlab.example.com:1234/gitlab/ci is the GitLab CI server URL and https://gitlab.example.com/gitlab is the git repository base URL. The project is myproject in group mygroup.

Actual behavior

[...]
++ git config --global http.http://gitlab.example.com:1234.sslCAInfo /builds/gitlab/mygroup/myproject.tmp/CI_SERVER_TLS_CA_FILE
[...]
++ git remote set-url origin https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.example.com/gitlab/mygroup/myproject.git
++ git fetch origin --prune '+refs/heads/*:refs/remotes/origin/*' '+refs/tags/*:refs/tags/*'
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.example.com/gitlab/mygroup/myproject.git/': SSL certificate problem: unable to get local issuer certificate
[...]

Expected behavior

[...]
++ git config --global http.https://gitlab.example.com.sslCAInfo /builds/gitlab/mygroup/myproject.tmp/CI_SERVER_TLS_CA_FILE
[...]
++ git remote set-url origin https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.example.com/gitlab/mygroup/myproject.git
++ git fetch origin --prune '+refs/heads/*:refs/remotes/origin/*' '+refs/tags/*:refs/tags/*'
From https://gitlab.example.com/gitlab/mygroup/myrepo
 + 1234abcd...5678dcba wip-tls-docker-experiment -> origin/wip-tls-docker-experiment  (forced update)
[...]

Environment description

Custom installation using the Docker executor.

Used GitLab Runner version

Version:      11.1.0
Git revision: 081978aa
Git branch:   
GO version:   go1.8.7
Built:        2018-07-22T07:24:46+00:00
OS/Arch:      linux/amd64
Edited by Sascha Silbe