Since tonight brought the update to GitLab Runner 12.4.0, all jobs fail with:
SSL certificate problem: unable to get issuer certificate
Steps to reproduce
Install gitlab-runner 12.4.0 on Debian 10.
Relevant logs and/or screenshots
job log
Running with gitlab-runner 12.4.0 (1564076b) on gitlab-rlp-runner-01 0c7c02d6Using Docker executor with image docker:stable ...Starting service docker:dind ...Pulling docker image docker:dind ...Using docker image sha256:eaed9efc02d231a28b0f7725551a71459a7763e83bcda5464db66ec4684a1639 for docker:dind ...Waiting for services to be up and running...Pulling docker image docker:stable ...Using docker image sha256:cf85f29ec76f50421c5ba0ff999b8856e044bf08525a8cf2fe2d3fd3d4a8cd86 for docker:stable ...Running on runner-0c7c02d6-project-2629-concurrent-0 via gitlab-rlp-runner-01...Fetching changes...Reinitialized existing Git repository in /builds/zdvsysunix/docker-php/.git/fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.rlp.net/zdvsysunix/docker-php.git/': SSL certificate problem: unable to get issuer certificateUploading artifacts...WARNING: php54-fpm/goss-report.xml: no matching files ERROR: No files to upload ERROR: Job failed: exit code 1
Environment description
This is GitLab 12.3.5-ee with GitLab Runners 12.4.0 on Debian 10
If you are using the docker executor and facing issues like Pulling docker image gitlab/gitlab-runner-helper:x86_64-2d8b7be4 ... ERROR: Job failed: Error response from daemon: manifest for gitlab/gitlab-runner-helper:x86_64-2d8b7be4 not found: manifest unknown: manifest unknown Update config.toml to point to a specific helper image until the issue is merged into master and a patch release it released. To do this check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#overriding-the-helper-image
How is your GitLab SSL configured - does it send only the server certificate, a partial chain or a full chain including the CA certificate?
Can you share your config.toml file (feel free to mask all private content like tokens or URLs if you don't want to share the URLs)?
With 12.4 we've changed the way how Runner is preparing certificates for Git (!1581 (merged), changed next with !1639 (merged)), which unblocked us on the Go version upgrade (for a context: starting with Go 1.9 the net/http changes how response provides information about certificates chain, which is used by GitLab to prepare variables for Git). If you see this starting with 12.4, this is most probably the cause.
Knowing what is your setup we can figure out where the problem is and what solutions are possible.
Running with gitlab-runner 12.4.0 (1564076b) on gitlab-rlp-runner-01 0c7c02d6Using Docker executor with image docker:stable ...Starting service docker:dind ...Pulling docker image docker:dind ...Using docker image sha256:eaed9efc02d231a28b0f7725551a71459a7763e83bcda5464db66ec4684a1639 for docker:dind ...Waiting for services to be up and running...Pulling docker image docker:stable ...Using docker image sha256:cf85f29ec76f50421c5ba0ff999b8856e044bf08525a8cf2fe2d3fd3d4a8cd86 for docker:stable ...Running on runner-0c7c02d6-project-2629-concurrent-0 via gitlab-rlp-runner-01...Fetching changes...Reinitialized existing Git repository in /builds/zdvsysunix/docker-php/.git/fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.rlp.net/zdvsysunix/docker-php.git/': SSL certificate problem: unable to get issuer certificateUploading artifacts...WARNING: php54-fpm/goss-report.xml: no matching files ERROR: No files to upload ERROR: Job failed: exit code 1
@moschlar we did some testing with your GitLab instance by sending some GET requests and we can see that we are generating the correct certificate from our side. So we would like to see what kind of chain GitLab Runner is generating in your environment, this would help us understand why CI is creating the wrong chain for your environment but create the correct one for us.
I'd like you to update the config.toml file with the following:
Notice that we added pre_clone_script so that it prints the chain, you should see something like https://gitlab.com/steveazz/playground/-/jobs/328476358 in your job log ( notice the -----BEGIN CERTIFICATE-----) if we can get all the content of the job log that would be quite helpful.
[0KRunning with gitlab-runner 12.4.0 (1564076b)[0;m[0K on gitlab-rlp-runner-01 0c7c02d6[0;msection_start:1571747728:prepare_executor[0K[0KUsing Docker executor with image docker:stable ...[0;m[0KStarting service docker:dind ...[0;m[0KPulling docker image docker:dind ...[0;m[0KUsing docker image sha256:eaed9efc02d231a28b0f7725551a71459a7763e83bcda5464db66ec4684a1639 for docker:dind ...[0;m[0KWaiting for services to be up and running...[0;m[0KPulling docker image docker:stable ...[0;m[0KUsing docker image sha256:cf85f29ec76f50421c5ba0ff999b8856e044bf08525a8cf2fe2d3fd3d4a8cd86 for docker:stable ...[0;msection_end:1571747734:prepare_executor[0Ksection_start:1571747734:prepare_script[0KRunning on runner-0c7c02d6-project-2629-concurrent-0 via gitlab-rlp-runner-01...section_end:1571747736:prepare_script[0Ksection_start:1571747736:get_sources[0K[32;1m$ cat $CI_SERVER_TLS_CA_FILE[0;m-----BEGIN CERTIFICATE-----MIIKrjCCCZagAwIBAgIMH9wxDAHtds5wk4TzMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4tUEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTE4MTAwOTEzNTYxNloXDTIxMDExMDEzNTYxNlowgakxCzAJBgNVBAYTAkRFMRgwFgYDVQQIDA9SaGVpbmxhbmQtUGZhbHoxDjAMBgNVBAcMBU1haW56MS4wLAYDVQQKDCVKb2hhbm5lcyBHdXRlbmJlcmctVW5pdmVyc2l0YWV0IE1haW56MScwJQYDVQQLDB5aZW50cnVtIGZ1ZXIgRGF0ZW52ZXJhcmJlaXR1bmcxFzAVBgNVBAMMDmdpdGxhYi5ybHAubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgkCJuw3LJkfEVhNsPr18BN5wS0mNkn1dKZBgexmHKalPxHJxeB3eg3I9ZkDH464FObUH82BHPqXCefWg2ySWL59u0p6vD3uxXRIeRPdmzJsSCTwGzY0S2htgWflJEyyONoEkkygBPsguxSIZ+Ji7m8r0NLk+pjZODgLh1n+eEio/MO5GqJA4auwrLVsoE31ENR89BAQEEDBdQ7PCJaxGTQ7mTlttZiMWI+A9iRSXCxo8o4jTyHYsQa58qLuuxvBftCkUb3awZy/fpssHBC5j7YTAFcuQe7dPS06gqQZo1vSsqeadkKM9sdULBG2F9EQTOm2adamvBMt5g4bNihv7iXYwzOkeIcyc2l8X0/neuLsxBcxmL/410w30+FApmLZH0YmrHpnsUySjCVhbB2uFMnnIoO9blUd6YVi2JZVTrte7KFHGd0kP3he34XupeIM2R94jGlyO6wBwJ2wIWL1SavOZDCP3OUP2IL6ojkUtQsSoBfa972ddvlsOPiBR06OU5ofYdY6P14sHM0bRpZVx7z7Kfi5smc0go9hAAFNx2WR7iQq6GhkROb0rXosv6X0FYQKvQk6xNVwHjRdl2hcoKOC1DtnGpOMF6rjyjDNNvKzqB/fsz2XVgmU2Hq9wbYHsJg37wfhw4elnaY5A0q6FBHJpZ4xltV3kYJbrof9CLECAwEAAaOCBe4wggXqMFkGA1UdIARSMFAwCAYGZ4EMAQICMA0GCysGAQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwEQYPKwYBBAGBrSGCLAEBBAMIMBEGDysGAQQBga0hgiwCAQQDCDAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUtt0aMqR+hTB7feoqGWiQeSBSepcwHwYDVR0jBBgwFoAUazqYi/nyU4na4K2yMh4JH+iqO3QwTQYDVR0RBEYwRIIOZ2l0bGFiLnJscC5uZXSCGW1hdHRlcm1vc3QuZ2l0bGFiLnJscC5uZXSCF3JlZ2lzdHJ5LmdpdGxhYi5ybHAubmV0MIGNBgNVHR8EgYUwgYIwP6A9oDuGOWh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY3JsL2NhY3JsLmNybDA/oD2gO4Y5aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9jcmwvY2FjcmwuY3JsMIHbBggrBgEFBQcBAQSBzjCByzAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEkGCCsGAQUFBzAChj1odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MEkGCCsGAQUFBzAChj1odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MIIDXgYKKwYBBAHWeQIEAgSCA04EggNKA0gAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWZZHT6nAAAEAwBHMEUCIHGXZgLIpq31AOsuksgKMjXblIz29TVnT9kf9M/HZjgjAiEAm1i6BL4BLps6tPTCQNyJFInSe0cDthdHGjMSv6XH9kcAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWZZHT60AAAEAwBHMEUCID3lhT++S8p3VkF+52KvVEvInHY8okafKOZr0TPPjlumAiEAoWGtEfp5WT0ddXlM1aKiOxlvq0F1qlh7SoLl/9k45CwAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWZZHT+lAAAEAwBGMEQCIEUYOP1SpTxYd7tJ0dzmwVRNPE7lkBEYywKvAi49bx4ZAiBIzH7xJ5nqYkyAaPUwigUe7Axchl8xmk68F6dJ16e3hAB2AKrnC388uNVmyGwvFpecn0RfaasOtFNVibL3egMBBPPNAAABZlkdPpUAAAQDAEcwRQIhAIzdq+SoMOxjltvmUBw0FRAPnyZoKH5+hVLi+0DMWFm6AiAsGWk8B7EkCWIO4t/B12kPrKtZu7c+D2/Pbm/SHiycIwB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABZlkdQOoAAAQDAEcwRQIhAP9kHQcJJRZLaBSZsMrZgyYoU0AY9nWWriaFLIh6Kqk8AiAIlugtwVubCRaDiqLa+2mG4SJbkFi5BbdbZqHpbPWlkQB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABZlkdQfcAAAQDAEcwRQIgbCIE0OT0w9EE+ap1ydtLfhAjIkW/SOwwjEOO0rUha9gCIQCZ/U5Gm/UGUl2vHaJEQ9xLy2lVPpyGgcZeoeZuIH1mGgB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABZlkdQQQAAAQDAEgwRgIhAJlOpGLXVM7RxriYr9CVt5DCJqZv6zJk4778dA3LhT0OAiEAhZIZlkki6zpW08sp9slOkPF0R3vSP1oXEquEdrQ8RLIwDQYJKoZIhvcNAQELBQADggEBAHZdW4F0c57XBdhoQELva5SwXGPqxcl7a+tngfxbm+bSlQ92SIYWuTk3qT261paI6Klk9d0k44qZ1noxd4hGQIjW83ENutqYQnGQDjI4dQGxfe4XI9QOOo1oOPN6CUY0shTzsJFk0KQy5k5N0m0J2SnD3gI5IzXUsxq7T4L5AQ80ZMGs+lNTV8J4bHX88yfeP1jT78F7LTpmbzn3E1UdHPSP3wyZeHkzwzsBFCa440jKUY+S0V7ZGAaiD6ilTFQqmNta9MBr09TCNUoLZ7aO46gcyUx4ZCjYdXPgkmzcgdq2aDeGCEBmOIHsCH15QxCp/F55r+CeyMXszXa0aOjkCEE=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFrDCCBJSgAwIBAgIHG2O60B4sPTANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECxMHREZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVpbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTE2MDUyNDExMzg0MFoXDTMxMDIyMjIzNTk1OVowgY0xCzAJBgNVBAYTAkRFMUUwQwYDVQQKDDxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZvcnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1QS0kxJTAjBgNVBAMMHERGTi1WZXJlaW4gR2xvYmFsIElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdO3kcR94fhsvGadcQnjnX2aIw23IcBX8pX0to8a0Z1kzhaxuxC3+hq+B7i4vYLc5uiDoQ7lflHn8EUTbrunBtY6C+li5A4dGDTGY9HGRp5ZukrXKuaDlRh3nMF9OuL11jcUs5eutCp5eQaQW/kP+kQHC9A+e/nhiIH5+ZiE0OR41IX2WZENLZKkntwbktHZ8SyxXTP38eVC86rpNXp354ytVK4hrl7UF9U1/Isyr1ijCs7RcFJD+2oAsH/U0amgNSoDac3iSHZeTn+seWcyQUzdDoG2ieGFmudn730Qp4PIdLsDfPU8o6OBDzy0dtjGQ9PFpFSrrKgHy48+enTEzNAgMBAAGjggIFMIICATASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjApBgNVHSAEIjAgMA0GCysGAQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwHQYDVR0OBBYEFGs6mIv58lOJ2uCtsjIeCR/oqjt0MB8GA1UdIwQYMBaAFJPj2DIm2tXxSqWRSuDqS+KiDM/hMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwQKA+oDyGOmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwgd0GCCsGAQUFBwEBBIHQMIHNMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEoGCCsGAQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWcyLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAgXhFpE6kfw5V8Amxaj54zGg1qRzzlZ4/8/jfazh3iSyNta0+x/KUzaAGrrrMqLGtMwi2JIZiNkx4blDw1W5gjU9SMUOXRnXwYuRuZlHBQjFnUOVJ5zkey5/KhkjeCBT/FUsrZpugOJ8Azv2n69F/Vy3ITF/cEBGXPpYEAlyEqCk5bJT8EJIGe57u2Ea0G7UDDDjZ3LCpP3EGC7IDBzPCjUhjJSU8entXbveKBTjvuKCuL/TbB9VbhBjBqbhLzmyQGoLkuT36d/HSHzMCv1PndvncJiVBby+mG/qkE5D6fH7ZC2Bd7L/KQaBh+xFJKdioLXUV2EoY6hbvVTQiGhONBg==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFEjCCA/qgAwIBAgIJAOML1fivJdmBMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2UgU2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjElMCMGA1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMjAeFw0xNjAyMjIxMzM4MjJaFw0zMTAyMjIyMzU5NTlaMIGVMQswCQYDVQQGEwJERTFFMEMGA1UEChM8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLEwdERk4tUEtJMS0wKwYDVQQDEyRERk4tVmVyZWluIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLYNf/ZqFBzdL6h5eKc6uZTepnOVqhYIBHFU6MlbLlz87TV0uNzvhWbBVVdgfqRv3IA0VjPnDUq1SAsSOcvjcoqQn/BV0YD8SYmTezIPZmeBeHwp0OzEoy5xadrg6NKXkHACBU3BVfSpbXeLY008F0tZ3pv8B3Teq9WQfgWi9sPKUA3DW9ZQ2PfzJt8lpqS2IB7qw4NFlFNkkF2njKam1bwIFrEczSPKiL+HEayjvigN0WtGd6izbqTpEpPbNRXK2oDL6dNOPRDReDdcQ5HrCUCxLx1WmOJfS4PSu/wI7DHjulv1UQqyquF5deM87I8/QJB+MChjFGawHFEAwRx1npAgMBAAGjggF0MIIBcDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJPj2DIm2tXxSqWRSuDqS+KiDM/hMB8GA1UdIwQYMBaAFL9ZIDYAeaCgImuM1fJh0rgsy4JKMBIGA1UdEwEB/wQIMAYBAf8CAQIwMwYDVR0gBCwwKjAPBg0rBgEEAYGtIYIsAQEEMA0GCysGAQQBga0hgiweMAgGBmeBDAECAjBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL3JsL1RlbGVTZWNfR2xvYmFsUm9vdF9DbGFzc18yLmNybDCBhgYIKwYBBQUHAQEEejB4MCwGCCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjBIBggrBgEFBQcwAoY8aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvVGVsZVNlY19HbG9iYWxSb290X0NsYXNzXzIuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQCHC/8+AptlyFYt1juamItxT9q6Kaoh+UYu9bKkD64ROHk4sw50unZdnugYgpZi20wz6N35at8yvSxMR2BVf+d0a7Qsg9h5a7a3TVALZge17bOXrerufzDmmf0i4nJNPoRb7vnPmep/11I5LqyYAER+aTu/de7QCzsazeX3DyJsR4T2pUeg/dAaNH2t0j13s+70103/w+jlkk9ZPpBHEEqwhVjAb3/4ru0IQp4e1N8ULk2PvJ6Uw+ft9hj4PEnnJqinNtgs3iLNi4LY2XjiVRKjO4dEthEL1QxSr2mMDwbf0KJTi1eYe8/9ByT0/L3D/UqSApcb8re2z2WKGqK1chk5-----END CERTIFICATE-----[32;1mFetching changes...[0;mReinitialized existing Git repository in /builds/zdvsysunix/docker-php/.git/fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.rlp.net/zdvsysunix/docker-php.git/': SSL certificate problem: unable to get issuer certificatesection_end:1571747738:get_sources[0Ksection_start:1571747738:upload_artifacts_on_failure[0K[32;1mUploading artifacts...[0;m[0;33mWARNING: php73-fpm/goss-report.xml: no matching files[0;m [31;1mERROR: No files to upload [0;m section_end:1571747740:upload_artifacts_on_failure[0K[31;1mERROR: Job failed: exit code 1[0;m
@moschlar Thanks for the output. The chain - in comparison to what we both with @steveazz see locally - is missing the last cert, the CA one. Which explains the error. Now we need to figure out why the certificate is not present there.
Can you check your Runner logs and see if you have any warning/error logged with this in the message: Error on fetching TLS Data from API response?
@tmaczukin - ah, now wait - on the SSL Labs page, it actually looks like this is true:
But IIRC, if you actually include the CA certificate itself, SSL Labs complains about that.
cf. the following output from running ssylze --regular against our server:
Received Chain: gitlab.rlp.net --> DFN-Verein Global Issuing CA --> DFN-Verein Certification Authority 2 Verified Chain: gitlab.rlp.net --> DFN-Verein Global Issuing CA --> DFN-Verein Certification Authority 2 --> T-TeleSec GlobalRoot Class 2 Received Chain Contains Anchor: OK - Anchor certificate not sent
@moschlar Can you check your Runner logs for what I've pointed at #4805 (comment 233898904)? We don't expect the server to send the full chain containing the Root CA certificate. More - even if send, the certificate verification mechanism that we've recently implemented, would check it again and prepare the final certificate chain that is seen when you've printed the CI_SERVER_TLS_CA_FILE variable. I blame this mechanism for the problem and I'd like to confirm this by checking what's in the logs :)
@dgalichet Are you able to adjust your configuration as described at #4805 (comment 233863990), run a test job and share the log? If there are multiple users reporting such issue, there must be some pattern.
Running with gitlab-runner 12.4.0 (1564076b) on deploy-xxxxxxx-yyyyyy wELYvYk8Using Docker executor with image 1234567890.dkr.ecr.eu-central-1.amazonaws.com/terraform-ci:0.11.14 ...Pulling docker image gitlab/gitlab-runner-helper:x86_64-1564076b ...Using docker image sha256:8d0489046dda3658c263ad30ddd8c18731b00a14b1d173215cc3786b78e559da for gitlab/gitlab-runner-helper:x86_64-1564076b ...Authenticating with credentials from /root/.docker/config.jsonPulling docker image 1234567890.dkr.ecr.eu-central-1.amazonaws.com/terraform-ci:0.11.14 ...Using docker image sha256:e6011cac719de2ba1b794496fc7f35fee5afb2ebbbaa2f1d3107ca51758e0575 for 1234567890.dkr.ecr.eu-central-1.amazonaws.com/terraform-ci:0.11.14 ...Running on runner-wELYvYk8-project-364-concurrent-0 via ae2aa218bbe9...$ cat $CI_SERVER_TLS_CA_FILE-----BEGIN CERTIFICATE-----MIIFcDCCBFigAwIBAgIQC2SwuXVguakC7aZvpYGadTANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIgQ0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0xOTAzMjcwMDAwMDBaFw0yMDA0MjcxMjAwMDBaMB4xHDAaBgNVBAMMEyoudG9vbHMuc2xpbXBheS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJAr1btBOp3pXIVp2WPg6qTd0EEO95sGmeI3rsJD/A00hx5SCgqaCsph1aJ7suSI/Vl1/cAU8oiFf2GqdH/608c8KJXGJn+IIzsJjakORHjTCKWdqbHlCfkprRtxlU5f7B2DOvIUGLdpE98VnWrzLMuP1oY6f+Y3cxk618GCNanBZjCSc5VaRlIhU0HluB21c4Tf/9BAsjR254/kgY1PO0e6tsMrdnsI9ZlvsGXMQi4lEfxYqk0TMcdbxt/Sm5H4/t1Ahkcu4t/WG8Oj3mIiA1Gqs09uGwoCe9CNINbQzgWMVeINmYRyQeXjVZtuy8j3uoWiigPUc67GvD6UyxO/3tAgMBAAGjggKAMIICfDAfBgNVHSMEGDAWgBRZpGYGUqB7lZI8o5QHJ5Z0W/k90DAdBgNVHQ4EFgQUIqNiMRjki4wKfkO5i8H2GTWb9RgwHgYDVR0RBBcwFYITKi50b29scy5zbGltcGF5LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuc2NhMWIuYW1hem9udHJ1c3QuY29tL3NjYTFiLmNybDAgBgNVHSAEGTAXMAsGCWCGSAGG/WwBAjAIBgZngQwBAgEwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5zY2ExYi5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUHMAKGKmh0dHA6Ly9jcnQuc2NhMWIuYW1hem9udHJ1c3QuY29tL3NjYTFiLmNydDAMBgNVHRMBAf8EAjAAMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFpv/FLMQAABAMASDBGAiEAvWnGlfZXJtGz7w7XeFmOVs8kD5ZMdNXate4tPsGs9v4CIQCF28+6IDfUiD2CFsCtjLRcVPjuIPMRM9lAyon36SjJogB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABab/xTEQAAAQDAEcwRQIhAOvW96i0cg+RqFmKUL0n7HT5rOAvmwSN2Bkfl9QMj3G2AiBXuG89IiNvhsyMez8VlSgJ/CDn6mrMY+HwsvoyVW1D7TANBgkqhkiG9w0BAQsFAAOCAQEAbDy9ZhjWMUAtq36g3yf9iOAINVbjGE6GaMhAJjfHx7qLaKb/Y8TYB2+DWuad+GFjihG3cs/nQg+E+1dfu/Fp9e954u2002bd78rYZj3R8RVvggoJ69xQ3R2iv6/AdePX15H/9OA+WegiV+LkU3icOvS169CgGBadq7wt8r6ebfW41QsjiMRlxoZApg5hYa3fEMs2cwJf8GaokyqsB7gtJpRSSdCS73BlnGtN6cBInZS0QubW5urzu4+89lgq8uA382Sbtg2I1yjzvmPKo2b7ZomRJkiFi/nhhSY7YWVXuI6lXE+CvxicLcV1IWu4FH5jiRBFB2ssHu3VTyfbEMOt8g==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1MTAyMjAwMDAwMFoXDTI1MTAxOTAwMDAwMFowRjELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEVMBMGA1UECxMMU2VydmVyIENBIDFCMQ8wDQYDVQQDEwZBbWF6b24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCThZn3c68asg3Wuw6MLAd5tES6BIoSMzoKcG5blPVo+sDORrMd4f2AbnZcMzPa43j4wNxhplty6aUKk4T1qe9BOwKFjwK6zmxxLVYo7bHViXsPlJ6qOMpFge5blDP+18x+B26A0piiQOuPkfyDyeR4xQghfj66Yo19V+emU3nazfvpFA+ROz6WoVmB5x+F2pV8xeKNR7u6azDdU5YVX1TawprmxRC1+WsAYmz6qP+z8ArDITC2FMVy2fw0IjKOtEXc/VfmtTFch5+AfGYMGMqqvJ6LcXiAhqG5TI+Dr0RtM88k+8XUBCeQ8IGKuANaL7TiItKZYxK1MMuTJtV9IblAgMBAAGjggE7MIIBNzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUWaRmBlKge5WSPKOUByeWdFv5PdAwHwYDVR0jBBgwFoAUhBjMhTTsvAyUlC4IWZzHshBOCggwewYIKwYBBQUHAQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDovL2NydC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jvb3RjYTEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IBAQCFkr41u3nPo4FCHOTjY3NTOVI159Gt/a6ZiqyJEi+752+a1U5y6iAwYfmXss2lJwJFqMp2PphKg5625kXg8kP2CN5t6G7bMQcT8C8xDZNtYTd7WPD8UZiRKAJPBXa30/AbwuZe0GaFEQ8ugcYQgSn+IGBI8/LwhBNTZTUVEWuCUUBVV18YtbAiPq3yXqMB48Oz+ctBWuZSkbvkNodPLamkB2g1upRyzQ7qDn1X8nn8N8V7YJ6y68AtkHcNSRAnpTitxBKjtKPISLMVCx7i4hncxHZSyLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE1MDUyNTEyMDAwMFoXDTM3MTIzMTAxMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaOCATEwggEtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSEGMyFNOy8DJSULghZnMeyEE4KCDAfBgNVHSMEGDAWgBScXwDfqgHXMCs4iKK4bUqc8hGRgzB4BggrBgEFBQcBAQRsMGowLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLnJvb3RnMi5hbWF6b250cnVzdC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly9jcnQucm9vdGcyLmFtYXpvbnRydXN0LmNvbS9yb290ZzIuY2VyMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwucm9vdGcyLmFtYXpvbnRydXN0LmNvbS9yb290ZzIuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAYjdCXLwQtT6LLOkMm2xF4gcAevnFWAu5CIw+7bMlPLVvUOTNNWqnkzSWMiGpSESrnO09tKpzbeR/FoCJbM8oAxiDR3mjEH4wW6w7sGDgd9QIpuEdfF7Au/maeyKdpwAJfqxGF4PcnCZXmTA5YpaP7dreqsXMGz7KQ2hsVxa81Q4gLv7/wmpdLqBKbRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4UakcjMS9cmvqtmg5iUaQqqcT5NJ0hGA==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7MDkGA1UEAxMyU3RhcmZpZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0NTm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRoOt+OQFodSk7PQ5E751bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0CzyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5JQ4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMBAAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtVrNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28uc3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1UdHwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/GVfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehuVsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFEjCCBHugAwIBAgICAQwwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDYyOTE3MzkxNloXDTI0MDYyOTE3MzkxNlowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAtzLI/ulxpgSFrQwRZN/OTe/IAxiHP6Gr+zymn/DDodrU2G4rU5D7JKQ+hPCe6F/s5SdE9SimP3ve4CrwyK9TL57KBQGTHo9mHDmnTfpatnMEJWbrd3/nWcZKmSUUVOsmx/N/GdUwcI+vsEYq/63rKe3Xn6oEh6PU+YmlNF/bQ5GCNtlmPLG4uYL9nDo+EMg77wZlZnqbGRg9/3FRPDAuX749d3OyXQZswyNWmiuFJpIcpwKz5D8Nrwh5grg2Peqc0zWzvGnK9cyd6P1kjReAM25eSl2ZyR6HtJ0awNVuEzUjXt+bXz3v1vd2wuo+u3gNHEJnawTY+Nbab4vyRKABqwIBA6OCAfMwggHvMB0GA1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCB0gYDVR0jBIHKMIHHoYHBpIG+MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldHdvcmsxFzAVBgNVBAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydCBDbGFzcyAyIFBvbGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaHR0cDovL3d3dy52YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbGljZXJ0LmNvbYIBATAPBgNVHRMBAf8EBTADAQH/MDkGCCsGAQUFBwEBBC0wKzApBggrBgEFBQcwAYYdaHR0cDovL29jc3Auc3RhcmZpZWxkdGVjaC5jb20wSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL2NlcnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5L3Jvb3QuY3JsMFEGA1UdIARKMEgwRgYEVR0gADA+MDwGCCsGAQUFBwIBFjBodHRwOi8vY2VydGlmaWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKVi8afCXSWlcD284ipxs33kDTcdVWptobCrmADkhWBKIMuh8D1195TaQ39oXCUIuNJ9MxB73HZn8bjhU3zhxoNbKXuNSm8uf0SoGkVrMgfHeMpkksK0hAzc3S1fTbvdiuo43NlmouxBulVtWmQ9twPMHOKRUJ7jCUSVFxdzPcwl-----END CERTIFICATE-----Fetching changes with git depth set to 50...Initialized empty Git repository in /builds/ops/infrastructure-release-ops/.git/Created fresh repository.fatal: unable to access 'https://gitlab-ci-token:[MASKED]@git.tools.xxxxxxx.com/ops/infrastructure-release-ops.git/': SSL certificate problem: unable to get issuer certificate
@jchampseix Are you able to adjust your configuration as described at #4805 (comment 233863990), run a test job and share the log? If there are multiple users reporting such issue, there must be some pattern.
We have the same problem, works with gitlab-runner 12.3.0 on Debian 10, fails with gitlab-runner 12.4.0.
Server sends along the intermediate cert, but not the root.
job log
Running with gitlab-runner 12.4.0 (1564076b) on docker-openjdk8 JbsrjK9dUsing Docker executor with image openjdk:8-slim ...Authenticating with credentials from /root/.docker/config.jsonPulling docker image openjdk:8-slim ...Using docker image sha256:971671e78456acbc3a2226534e382ebd2b2cb07d8c4fabcbe5a72aa3b6021c77 for openjdk:8-slim ...Authenticating with credentials from /root/.docker/config.jsonRunning on runner-JbsrjK9d-project-78-concurrent-0 via teahut.net...Authenticating with credentials from /root/.docker/config.json$ cat $CI_SERVER_TLS_CA_FILE-----BEGIN CERTIFICATE-----MIIGkzCCBXugAwIBAgISA5sIe7engYpYyAC8q1eKR/+BMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTEwMjEyMzEzMzJaFw0yMDAxMTkyMzEzMzJaMBUxEzARBgNVBAMTCnRlYWh1dC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwUii9vflY2gT2oMMqF5d+yCdUgzPTQzDgqrf5ayqaJa1qryMb1Kh3s+rERsjvIQNeVDnOSn2wkrQKFZJwI7ifqRhX7Sbzv00Qq7ZEMfNlTZBCe7lyLSsclKDZro3eF8OLLoSrx2D4fLaiHQG8cN6zBMcq57dkHpeU5zybTgvOdK0UHkK8i//Ja3ulNRt3ylHEwuzGfBEx2E9Ei7Y+AkLN4o59m+PL5dwkWkL7I04coyVKRGKgNhTaEk+yqLhihe+CRhML575FIp5mU4TKa9d+nfRFXtDU76L8nVtcPWF3cKNaBEIdH+zzdBv4+FmmAVfFdooOd/gLy5JJj7o5EBfbMBje9Nr7k6pzRNTQwsZ6o17Zh30nUJGkkkyqqA5WaqZucfUj5Nw8YC04iQztZ0HCE2l5BlV2hYQJ16WjnUkaBvZu3J8lW5U6rSf+7BnS5GbJ1EBmhFKYHoTBVY76N1sQB8BT63iXrJjRmjHdRqqOaHxiO4oWt3BU+/c+VsWr7BYH6k/fr1FRB3heAUXnnAcq7tN5XlYE3cAW600Al4beNg/gxgAVhmUVtY+W4xUkeDX3Sd4zx7NyijYmEGQMwe/z2Fy3F5vVBSxXGOxXq1C9ewA7iCzJYzhQ190SgwnjC47o06Z6ZGg6zLtDspuo2ggKOqsb6UIstiVZskU9oMfHHQIDAQABo4ICpjCCAqIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTXErQ3S5XsGiO+tBl6es5zghfCFjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMFwGA1UdEQRVMFOCEWdpdGxhYi50ZWFodXQubmV0gg9sZGFwLnRlYWh1dC5uZXSCEXJlcG9ydC50ZWFodXQubmV0ggp0ZWFodXQubmV0gg53d3cudGVhaHV0Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALIeBcyLos2KIE6HZvkruYolIGdr2vpw57JJUy3vi5BeAAABbfDPyxQAAAQDAEcwRQIga2gHXBAB1cq9BIqiHNqx7DMiof3PjBgD+hklCUiDU/gCIQC8ShigWuky0xkUsnU2i6dHb6fC4tnuipBszDMVRXAfKAB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABbfDPy0gAAAQDAEcwRQIgFNYllcOhMjKbzdYxtQC4opVs/lX05WoFFPA9jdpQR9kCIQDtHEOtq0BZKKgLpnCGZq9f//mA51mQGnaqj2t4WFxABTANBgkqhkiG9w0BAQsFAAOCAQEAcAzT3kmwL36sVSNh7kZ0w8MNDRY7zosLArO+fO0CGBxLShiyo0GUDqpk7+No5CdXkvXvtsb8zfZQ6FmvjiDzDznTEQGLl9iWC7KtXmX3Uw7ZjtuiQuQOuG8moZd2XlqHF0jtiLTdwwcjqQC+h8tYbZEKFsHtDbYhVXos9SStRGHKOcTeVzJRDEPRGAqu60F3ifU9oZt+vD+XiOiUQ60zFz5gsvfNVw8pAMQaj225ehEh6cQpglXVpOozXKn5l89dTOiAm1qnPwHSVnPf6t/Z/c+D410LXuo/qXlkNcZapPe1aClsmMn0GaNVoPy/fcSiaciQu9VTz5YCfvRVDbmJ8w==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==-----END CERTIFICATE-----Fetching changes...Initialized empty Git repository in /builds/liferay-portal/dxp-workspace/.git/Created fresh repository.fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.teahut.net/liferay-portal/dxp-workspace.git/': SSL certificate problem: unable to get issuer certificateAuthenticating with credentials from /root/.docker/config.jsonERROR: Job failed: exit code 1
Oct 22 14:01:17 teahut.net systemd[1]: Started GitLab Runner.Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Runtime platform arch=amd64 os=linux pid=4934 revision=a8a019e0 version=12.3.0Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Starting multi-runner from /etc/gitlab-runner/config.toml ... builds=0Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Running in system-mode.Oct 22 14:01:17 teahut.net gitlab-runner[4934]:Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Starting multi-runner from /etc/gitlab-runner/config.toml ... builds=0Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Running in system-mode.Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Configuration loaded builds=0Oct 22 14:01:17 teahut.net gitlab-runner[4934]:Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Configuration loaded builds=0Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Locking configuration file builds=0 file=/etc/gitlab-runner/config.toml pid=4934Oct 22 14:01:17 teahut.net gitlab-runner[4934]: listen_address not defined, metrics & debug endpoints disabled builds=0Oct 22 14:01:17 teahut.net gitlab-runner[4934]: Locking configuration file builds=0 file=/etc/gitlab-runner/config.toml pid=4934Oct 22 14:01:17 teahut.net gitlab-runner[4934]: listen_address not defined, metrics & debug endpoints disabled builds=0Oct 22 14:01:17 teahut.net gitlab-runner[4934]: [session_server].listen_address not defined, session endpoints disabled builds=0Oct 22 14:01:17 teahut.net gitlab-runner[4934]: [session_server].listen_address not defined, session endpoints disabled builds=0Oct 22 14:02:16 teahut.net gitlab-runner[4934]: Checking for jobs... received job=1416 repo_url=https://gitlab.teahut.net/liferay-portal/dxp-workspacOct 22 14:02:16 teahut.net gitlab-runner[4934]: Checking for jobs... received job=1416 repo_url=https://gitlab.teahut.net/liferay-portal/dxp-workspacOct 22 14:02:42 teahut.net gitlab-runner[4934]: ERROR: Could not create cache adapter error=cache factory not found: factory for cache adapter "" was not regOct 22 14:02:42 teahut.net gitlab-runner[4934]: ERROR: Could not create cache adapter error=cache factory not found: factory for cache adapter "" was not regOct 22 14:03:52 teahut.net gitlab-runner[4934]: WARNING: Job failed: exit code 1 duration=1m35.982189992s job=1416 project=78 runner=JbsrjK9dOct 22 14:03:52 teahut.net gitlab-runner[4934]: WARNING: Job failed: exit code 1 duration=1m35.982189992s job=1416 project=78 runner=JbsrjK9dOct 22 14:03:52 teahut.net gitlab-runner[4934]: WARNING: Failed to process runner builds=0 error=exit code 1 executor=docker runner=JbsrjK9dOct 22 14:03:52 teahut.net gitlab-runner[4934]: WARNING: Failed to process runner builds=0 error=exit code 1 executor=docker runner=JbsrjK9dOct 22 14:06:23 teahut.net gitlab-runner[4934]: Configuration loaded builds=0Oct 22 14:06:23 teahut.net gitlab-runner[4934]: Configuration loaded builds=0Oct 22 14:06:36 teahut.net gitlab-runner[4934]: WARNING: Requested service stop: terminated builds=0Oct 22 14:06:36 teahut.net gitlab-runner[4934]: All workers stopped. Can exit now builds=0Oct 22 14:06:36 teahut.net systemd[1]: Stopping GitLab Runner...Oct 22 14:06:36 teahut.net gitlab-runner[4934]: WARNING: Requested service stop: terminated builds=0Oct 22 14:06:36 teahut.net gitlab-runner[4934]: All workers stopped. Can exit now builds=0Oct 22 14:06:36 teahut.net systemd[1]: gitlab-runner.service: Succeeded.Oct 22 14:06:36 teahut.net systemd[1]: Stopped GitLab Runner.
Yes, 12.3.0 shows the complete chain including root cert in the job log.
job log
Running with gitlab-runner 12.3.0 (a8a019e0) on docker-openjdk8 JbsrjK9dUsing Docker executor with image openjdk:8-slim ...Authenticating with credentials from /root/.docker/config.jsonPulling docker image openjdk:8-slim ...Using docker image sha256:971671e78456acbc3a2226534e382ebd2b2cb07d8c4fabcbe5a72aa3b6021c77 for openjdk:8-slim ...Authenticating with credentials from /root/.docker/config.jsonRunning on runner-JbsrjK9d-project-78-concurrent-0 via teahut.net...Authenticating with credentials from /root/.docker/config.json$ cat $CI_SERVER_TLS_CA_FILE-----BEGIN CERTIFICATE-----MIIGkzCCBXugAwIBAgISA5sIe7engYpYyAC8q1eKR/+BMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTEwMjEyMzEzMzJaFw0yMDAxMTkyMzEzMzJaMBUxEzARBgNVBAMTCnRlYWh1dC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwUii9vflY2gT2oMMqF5d+yCdUgzPTQzDgqrf5ayqaJa1qryMb1Kh3s+rERsjvIQNeVDnOSn2wkrQKFZJwI7ifqRhX7Sbzv00Qq7ZEMfNlTZBCe7lyLSsclKDZro3eF8OLLoSrx2D4fLaiHQG8cN6zBMcq57dkHpeU5zybTgvOdK0UHkK8i//Ja3ulNRt3ylHEwuzGfBEx2E9Ei7Y+AkLN4o59m+PL5dwkWkL7I04coyVKRGKgNhTaEk+yqLhihe+CRhML575FIp5mU4TKa9d+nfRFXtDU76L8nVtcPWF3cKNaBEIdH+zzdBv4+FmmAVfFdooOd/gLy5JJj7o5EBfbMBje9Nr7k6pzRNTQwsZ6o17Zh30nUJGkkkyqqA5WaqZucfUj5Nw8YC04iQztZ0HCE2l5BlV2hYQJ16WjnUkaBvZu3J8lW5U6rSf+7BnS5GbJ1EBmhFKYHoTBVY76N1sQB8BT63iXrJjRmjHdRqqOaHxiO4oWt3BU+/c+VsWr7BYH6k/fr1FRB3heAUXnnAcq7tN5XlYE3cAW600Al4beNg/gxgAVhmUVtY+W4xUkeDX3Sd4zx7NyijYmEGQMwe/z2Fy3F5vVBSxXGOxXq1C9ewA7iCzJYzhQ190SgwnjC47o06Z6ZGg6zLtDspuo2ggKOqsb6UIstiVZskU9oMfHHQIDAQABo4ICpjCCAqIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTXErQ3S5XsGiO+tBl6es5zghfCFjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMFwGA1UdEQRVMFOCEWdpdGxhYi50ZWFodXQubmV0gg9sZGFwLnRlYWh1dC5uZXSCEXJlcG9ydC50ZWFodXQubmV0ggp0ZWFodXQubmV0gg53d3cudGVhaHV0Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALIeBcyLos2KIE6HZvkruYolIGdr2vpw57JJUy3vi5BeAAABbfDPyxQAAAQDAEcwRQIga2gHXBAB1cq9BIqiHNqx7DMiof3PjBgD+hklCUiDU/gCIQC8ShigWuky0xkUsnU2i6dHb6fC4tnuipBszDMVRXAfKAB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABbfDPy0gAAAQDAEcwRQIgFNYllcOhMjKbzdYxtQC4opVs/lX05WoFFPA9jdpQR9kCIQDtHEOtq0BZKKgLpnCGZq9f//mA51mQGnaqj2t4WFxABTANBgkqhkiG9w0BAQsFAAOCAQEAcAzT3kmwL36sVSNh7kZ0w8MNDRY7zosLArO+fO0CGBxLShiyo0GUDqpk7+No5CdXkvXvtsb8zfZQ6FmvjiDzDznTEQGLl9iWC7KtXmX3Uw7ZjtuiQuQOuG8moZd2XlqHF0jtiLTdwwcjqQC+h8tYbZEKFsHtDbYhVXos9SStRGHKOcTeVzJRDEPRGAqu60F3ifU9oZt+vD+XiOiUQ60zFz5gsvfNVw8pAMQaj225ehEh6cQpglXVpOozXKn5l89dTOiAm1qnPwHSVnPf6t/Z/c+D410LXuo/qXlkNcZapPe1aClsmMn0GaNVoPy/fcSiaciQu9VTz5YCfvRVDbmJ8w==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ-----END CERTIFICATE-----Fetching changes...Initialized empty Git repository in /builds/liferay-portal/dxp-workspace/.git/Created fresh repository.[...]
Thank you all for answering our questions so far this is incredibly helpful for us. @tmaczukin and I spend some time going through every case on why and how we can miss the CA root and have the following questions:
Inside of your config.toml file do you has tls-ca-file configured inside of the [[runners]] section even if you have tls-cert-file, tls-key-file? If you do what is the value? What is the content of the file?
Between v12.4.0-rc1 and v12.4.0-rc2 (which is now v12.4.0) we made a change regarding TLS verification, are you able to try v12.4.0-rc1 and see if the issue persists? You can download it from here at or install it via packagecloud
No, I have none of these entries, the cert is issued by Let's Encrypt.
The root cert is linked by hash in /etc/ssl/certs and in the /etc/ssl/certs/ca-certificates.crt file.
Running with gitlab-runner 12.4.0-rc1 (d72c2ef7) on docker-openjdk8 JbsrjK9dUsing Docker executor with image openjdk:8-slim ...Authenticating with credentials from /root/.docker/config.jsonPulling docker image openjdk:8-slim ...Using docker image sha256:971671e78456acbc3a2226534e382ebd2b2cb07d8c4fabcbe5a72aa3b6021c77 for openjdk:8-slim ...Authenticating with credentials from /root/.docker/config.jsonRunning on runner-JbsrjK9d-project-78-concurrent-0 via teahut.net...Authenticating with credentials from /root/.docker/config.json$ cat $CI_SERVER_TLS_CA_FILE-----BEGIN CERTIFICATE-----MIIGkzCCBXugAwIBAgISA5sIe7engYpYyAC8q1eKR/+BMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTEwMjEyMzEzMzJaFw0yMDAxMTkyMzEzMzJaMBUxEzARBgNVBAMTCnRlYWh1dC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwUii9vflY2gT2oMMqF5d+yCdUgzPTQzDgqrf5ayqaJa1qryMb1Kh3s+rERsjvIQNeVDnOSn2wkrQKFZJwI7ifqRhX7Sbzv00Qq7ZEMfNlTZBCe7lyLSsclKDZro3eF8OLLoSrx2D4fLaiHQG8cN6zBMcq57dkHpeU5zybTgvOdK0UHkK8i//Ja3ulNRt3ylHEwuzGfBEx2E9Ei7Y+AkLN4o59m+PL5dwkWkL7I04coyVKRGKgNhTaEk+yqLhihe+CRhML575FIp5mU4TKa9d+nfRFXtDU76L8nVtcPWF3cKNaBEIdH+zzdBv4+FmmAVfFdooOd/gLy5JJj7o5EBfbMBje9Nr7k6pzRNTQwsZ6o17Zh30nUJGkkkyqqA5WaqZucfUj5Nw8YC04iQztZ0HCE2l5BlV2hYQJ16WjnUkaBvZu3J8lW5U6rSf+7BnS5GbJ1EBmhFKYHoTBVY76N1sQB8BT63iXrJjRmjHdRqqOaHxiO4oWt3BU+/c+VsWr7BYH6k/fr1FRB3heAUXnnAcq7tN5XlYE3cAW600Al4beNg/gxgAVhmUVtY+W4xUkeDX3Sd4zx7NyijYmEGQMwe/z2Fy3F5vVBSxXGOxXq1C9ewA7iCzJYzhQ190SgwnjC47o06Z6ZGg6zLtDspuo2ggKOqsb6UIstiVZskU9oMfHHQIDAQABo4ICpjCCAqIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTXErQ3S5XsGiO+tBl6es5zghfCFjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMFwGA1UdEQRVMFOCEWdpdGxhYi50ZWFodXQubmV0gg9sZGFwLnRlYWh1dC5uZXSCEXJlcG9ydC50ZWFodXQubmV0ggp0ZWFodXQubmV0gg53d3cudGVhaHV0Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALIeBcyLos2KIE6HZvkruYolIGdr2vpw57JJUy3vi5BeAAABbfDPyxQAAAQDAEcwRQIga2gHXBAB1cq9BIqiHNqx7DMiof3PjBgD+hklCUiDU/gCIQC8ShigWuky0xkUsnU2i6dHb6fC4tnuipBszDMVRXAfKAB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABbfDPy0gAAAQDAEcwRQIgFNYllcOhMjKbzdYxtQC4opVs/lX05WoFFPA9jdpQR9kCIQDtHEOtq0BZKKgLpnCGZq9f//mA51mQGnaqj2t4WFxABTANBgkqhkiG9w0BAQsFAAOCAQEAcAzT3kmwL36sVSNh7kZ0w8MNDRY7zosLArO+fO0CGBxLShiyo0GUDqpk7+No5CdXkvXvtsb8zfZQ6FmvjiDzDznTEQGLl9iWC7KtXmX3Uw7ZjtuiQuQOuG8moZd2XlqHF0jtiLTdwwcjqQC+h8tYbZEKFsHtDbYhVXos9SStRGHKOcTeVzJRDEPRGAqu60F3ifU9oZt+vD+XiOiUQ60zFz5gsvfNVw8pAMQaj225ehEh6cQpglXVpOozXKn5l89dTOiAm1qnPwHSVnPf6t/Z/c+D410LXuo/qXlkNcZapPe1aClsmMn0GaNVoPy/fcSiaciQu9VTz5YCfvRVDbmJ8w==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==-----END CERTIFICATE-----Fetching changes...Initialized empty Git repository in /builds/liferay-portal/dxp-workspace/.git/Created fresh repository.fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.teahut.net/liferay-portal/dxp-workspace.git/': SSL certificate problem: unable to get issuer certificateAuthenticating with credentials from /root/.docker/config.jsonERROR: Job failed: exit code 1
[0KRunning with gitlab-runner 12.4.0-rc1 (d72c2ef7)[0;m[0K on gitlab-rlp-runner-01-test Z84xnEnu[0;msection_start:1571813881:prepare_executor[0K[0KUsing Docker executor with image alpine:latest ...[0;m[0KPulling docker image alpine:latest ...[0;m[0KUsing docker image sha256:965ea09ff2ebd2b9eeec88cd822ce156f6674c7e99be082c7efac3c62f3ff652 for alpine:latest ...[0;msection_end:1571813883:prepare_executor[0Ksection_start:1571813883:prepare_script[0KRunning on runner-Z84xnEnu-project-7054-concurrent-0 via gitlab-rlp-runner-01...section_end:1571813885:prepare_script[0Ksection_start:1571813885:get_sources[0K[32;1m$ cat$CI_SERVER_TLS_CA_FILE[0;m-----BEGIN CERTIFICATE-----MIIKrjCCCZagAwIBAgIMH9wxDAHtds5wk4TzMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4tUEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTE4MTAwOTEzNTYxNloXDTIxMDExMDEzNTYxNlowgakxCzAJBgNVBAYTAkRFMRgwFgYDVQQIDA9SaGVpbmxhbmQtUGZhbHoxDjAMBgNVBAcMBU1haW56MS4wLAYDVQQKDCVKb2hhbm5lcyBHdXRlbmJlcmctVW5pdmVyc2l0YWV0IE1haW56MScwJQYDVQQLDB5aZW50cnVtIGZ1ZXIgRGF0ZW52ZXJhcmJlaXR1bmcxFzAVBgNVBAMMDmdpdGxhYi5ybHAubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgkCJuw3LJkfEVhNsPr18BN5wS0mNkn1dKZBgexmHKalPxHJxeB3eg3I9ZkDH464FObUH82BHPqXCefWg2ySWL59u0p6vD3uxXRIeRPdmzJsSCTwGzY0S2htgWflJEyyONoEkkygBPsguxSIZ+Ji7m8r0NLk+pjZODgLh1n+eEio/MO5GqJA4auwrLVsoE31ENR89BAQEEDBdQ7PCJaxGTQ7mTlttZiMWI+A9iRSXCxo8o4jTyHYsQa58qLuuxvBftCkUb3awZy/fpssHBC5j7YTAFcuQe7dPS06gqQZo1vSsqeadkKM9sdULBG2F9EQTOm2adamvBMt5g4bNihv7iXYwzOkeIcyc2l8X0/neuLsxBcxmL/410w30+FApmLZH0YmrHpnsUySjCVhbB2uFMnnIoO9blUd6YVi2JZVTrte7KFHGd0kP3he34XupeIM2R94jGlyO6wBwJ2wIWL1SavOZDCP3OUP2IL6ojkUtQsSoBfa972ddvlsOPiBR06OU5ofYdY6P14sHM0bRpZVx7z7Kfi5smc0go9hAAFNx2WR7iQq6GhkROb0rXosv6X0FYQKvQk6xNVwHjRdl2hcoKOC1DtnGpOMF6rjyjDNNvKzqB/fsz2XVgmU2Hq9wbYHsJg37wfhw4elnaY5A0q6FBHJpZ4xltV3kYJbrof9CLECAwEAAaOCBe4wggXqMFkGA1UdIARSMFAwCAYGZ4EMAQICMA0GCysGAQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwEQYPKwYBBAGBrSGCLAEBBAMIMBEGDysGAQQBga0hgiwCAQQDCDAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUtt0aMqR+hTB7feoqGWiQeSBSepcwHwYDVR0jBBgwFoAUazqYi/nyU4na4K2yMh4JH+iqO3QwTQYDVR0RBEYwRIIOZ2l0bGFiLnJscC5uZXSCGW1hdHRlcm1vc3QuZ2l0bGFiLnJscC5uZXSCF3JlZ2lzdHJ5LmdpdGxhYi5ybHAubmV0MIGNBgNVHR8EgYUwgYIwP6A9oDuGOWh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY3JsL2NhY3JsLmNybDA/oD2gO4Y5aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9jcmwvY2FjcmwuY3JsMIHbBggrBgEFBQcBAQSBzjCByzAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEkGCCsGAQUFBzAChj1odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MEkGCCsGAQUFBzAChj1odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MIIDXgYKKwYBBAHWeQIEAgSCA04EggNKA0gAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWZZHT6nAAAEAwBHMEUCIHGXZgLIpq31AOsuksgKMjXblIz29TVnT9kf9M/HZjgjAiEAm1i6BL4BLps6tPTCQNyJFInSe0cDthdHGjMSv6XH9kcAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWZZHT60AAAEAwBHMEUCID3lhT++S8p3VkF+52KvVEvInHY8okafKOZr0TPPjlumAiEAoWGtEfp5WT0ddXlM1aKiOxlvq0F1qlh7SoLl/9k45CwAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWZZHT+lAAAEAwBGMEQCIEUYOP1SpTxYd7tJ0dzmwVRNPE7lkBEYywKvAi49bx4ZAiBIzH7xJ5nqYkyAaPUwigUe7Axchl8xmk68F6dJ16e3hAB2AKrnC388uNVmyGwvFpecn0RfaasOtFNVibL3egMBBPPNAAABZlkdPpUAAAQDAEcwRQIhAIzdq+SoMOxjltvmUBw0FRAPnyZoKH5+hVLi+0DMWFm6AiAsGWk8B7EkCWIO4t/B12kPrKtZu7c+D2/Pbm/SHiycIwB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABZlkdQOoAAAQDAEcwRQIhAP9kHQcJJRZLaBSZsMrZgyYoU0AY9nWWriaFLIh6Kqk8AiAIlugtwVubCRaDiqLa+2mG4SJbkFi5BbdbZqHpbPWlkQB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABZlkdQfcAAAQDAEcwRQIgbCIE0OT0w9EE+ap1ydtLfhAjIkW/SOwwjEOO0rUha9gCIQCZ/U5Gm/UGUl2vHaJEQ9xLy2lVPpyGgcZeoeZuIH1mGgB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABZlkdQQQAAAQDAEgwRgIhAJlOpGLXVM7RxriYr9CVt5DCJqZv6zJk4778dA3LhT0OAiEAhZIZlkki6zpW08sp9slOkPF0R3vSP1oXEquEdrQ8RLIwDQYJKoZIhvcNAQELBQADggEBAHZdW4F0c57XBdhoQELva5SwXGPqxcl7a+tngfxbm+bSlQ92SIYWuTk3qT261paI6Klk9d0k44qZ1noxd4hGQIjW83ENutqYQnGQDjI4dQGxfe4XI9QOOo1oOPN6CUY0shTzsJFk0KQy5k5N0m0J2SnD3gI5IzXUsxq7T4L5AQ80ZMGs+lNTV8J4bHX88yfeP1jT78F7LTpmbzn3E1UdHPSP3wyZeHkzwzsBFCa440jKUY+S0V7ZGAaiD6ilTFQqmNta9MBr09TCNUoLZ7aO46gcyUx4ZCjYdXPgkmzcgdq2aDeGCEBmOIHsCH15QxCp/F55r+CeyMXszXa0aOjkCEE=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFrDCCBJSgAwIBAgIHG2O60B4sPTANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECxMHREZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVpbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTE2MDUyNDExMzg0MFoXDTMxMDIyMjIzNTk1OVowgY0xCzAJBgNVBAYTAkRFMUUwQwYDVQQKDDxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZvcnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1QS0kxJTAjBgNVBAMMHERGTi1WZXJlaW4gR2xvYmFsIElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdO3kcR94fhsvGadcQnjnX2aIw23IcBX8pX0to8a0Z1kzhaxuxC3+hq+B7i4vYLc5uiDoQ7lflHn8EUTbrunBtY6C+li5A4dGDTGY9HGRp5ZukrXKuaDlRh3nMF9OuL11jcUs5eutCp5eQaQW/kP+kQHC9A+e/nhiIH5+ZiE0OR41IX2WZENLZKkntwbktHZ8SyxXTP38eVC86rpNXp354ytVK4hrl7UF9U1/Isyr1ijCs7RcFJD+2oAsH/U0amgNSoDac3iSHZeTn+seWcyQUzdDoG2ieGFmudn730Qp4PIdLsDfPU8o6OBDzy0dtjGQ9PFpFSrrKgHy48+enTEzNAgMBAAGjggIFMIICATASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjApBgNVHSAEIjAgMA0GCysGAQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwHQYDVR0OBBYEFGs6mIv58lOJ2uCtsjIeCR/oqjt0MB8GA1UdIwQYMBaAFJPj2DIm2tXxSqWRSuDqS+KiDM/hMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwQKA+oDyGOmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwgd0GCCsGAQUFBwEBBIHQMIHNMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEoGCCsGAQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWcyLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAgXhFpE6kfw5V8Amxaj54zGg1qRzzlZ4/8/jfazh3iSyNta0+x/KUzaAGrrrMqLGtMwi2JIZiNkx4blDw1W5gjU9SMUOXRnXwYuRuZlHBQjFnUOVJ5zkey5/KhkjeCBT/FUsrZpugOJ8Azv2n69F/Vy3ITF/cEBGXPpYEAlyEqCk5bJT8EJIGe57u2Ea0G7UDDDjZ3LCpP3EGC7IDBzPCjUhjJSU8entXbveKBTjvuKCuL/TbB9VbhBjBqbhLzmyQGoLkuT36d/HSHzMCv1PndvncJiVBby+mG/qkE5D6fH7ZC2Bd7L/KQaBh+xFJKdioLXUV2EoY6hbvVTQiGhONBg==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFEjCCA/qgAwIBAgIJAOML1fivJdmBMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2UgU2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjElMCMGA1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMjAeFw0xNjAyMjIxMzM4MjJaFw0zMTAyMjIyMzU5NTlaMIGVMQswCQYDVQQGEwJERTFFMEMGA1UEChM8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLEwdERk4tUEtJMS0wKwYDVQQDEyRERk4tVmVyZWluIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLYNf/ZqFBzdL6h5eKc6uZTepnOVqhYIBHFU6MlbLlz87TV0uNzvhWbBVVdgfqRv3IA0VjPnDUq1SAsSOcvjcoqQn/BV0YD8SYmTezIPZmeBeHwp0OzEoy5xadrg6NKXkHACBU3BVfSpbXeLY008F0tZ3pv8B3Teq9WQfgWi9sPKUA3DW9ZQ2PfzJt8lpqS2IB7qw4NFlFNkkF2njKam1bwIFrEczSPKiL+HEayjvigN0WtGd6izbqTpEpPbNRXK2oDL6dNOPRDReDdcQ5HrCUCxLx1WmOJfS4PSu/wI7DHjulv1UQqyquF5deM87I8/QJB+MChjFGawHFEAwRx1npAgMBAAGjggF0MIIBcDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJPj2DIm2tXxSqWRSuDqS+KiDM/hMB8GA1UdIwQYMBaAFL9ZIDYAeaCgImuM1fJh0rgsy4JKMBIGA1UdEwEB/wQIMAYBAf8CAQIwMwYDVR0gBCwwKjAPBg0rBgEEAYGtIYIsAQEEMA0GCysGAQQBga0hgiweMAgGBmeBDAECAjBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL3JsL1RlbGVTZWNfR2xvYmFsUm9vdF9DbGFzc18yLmNybDCBhgYIKwYBBQUHAQEEejB4MCwGCCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjBIBggrBgEFBQcwAoY8aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvVGVsZVNlY19HbG9iYWxSb290X0NsYXNzXzIuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQCHC/8+AptlyFYt1juamItxT9q6Kaoh+UYu9bKkD64ROHk4sw50unZdnugYgpZi20wz6N35at8yvSxMR2BVf+d0a7Qsg9h5a7a3TVALZge17bOXrerufzDmmf0i4nJNPoRb7vnPmep/11I5LqyYAER+aTu/de7QCzsazeX3DyJsR4T2pUeg/dAaNH2t0j13s+70103/w+jlkk9ZPpBHEEqwhVjAb3/4ru0IQp4e1N8ULk2PvJ6Uw+ft9hj4PEnnJqinNtgs3iLNi4LY2XjiVRKjO4dEthEL1QxSr2mMDwbf0KJTi1eYe8/9ByT0/L3D/UqSApcb8re2z2WKGqK1chk5-----END CERTIFICATE-----[32;1mFetching changes with git depth set to 50...[0;mReinitialized existing Git repository in /builds/schlarbm/ci-test/.git/fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.rlp.net/schlarbm/ci-test.git/': SSL certificate problem: unable to get issuer certificatesection_end:1571813886:get_sources[0Ksection_start:1571813886:upload_artifacts_on_failure[0Ksection_end:1571813888:upload_artifacts_on_failure[0K[31;1mERROR: Job failed: exit code 1[0;m
@moschlar@dgalichet@emteedee can I ask you to download this Runner binary when it will be available and test it? We'd like to see the Runner log lines (not the job log!) containing [cert verification], gathered after execution of a job failing with this SSL error. I hope this will show why the root certificate is not added to the chain.
Thanks @moschlar! We think we've found what generates the problem. @steveazz Is now trying to reproduce it.
Meanwhile, I've prepared another patch based on the previous one - 517761ef. Could you download and test the binary from the URL above when this job will succeed: https://gitlab.com/gitlab-org/gitlab-runner/-/jobs/329632135? If we're right, you should get the job working. And then we can work on fixing this properly :)
I've managed to reproduce this on a test instance by adding an intermediate certificate inside the trust CA after which I started getting the exact behavior like folk here are getting (the root CA missing). After testing the patch in 517761ef I was able to get the full chain.
Awesome! We're working on a proper fix. Expect 12.4.1 soon (and I will probably ask for one more test on a development version built for the Merge Request)
I've run into this issue just now. And I'm still seeing the error with the Beta binary linked above. I'm going to go run jobs with 12.3, 12.4 and 12.4.beta and collect logs to share, stand by.
I'll keep checking why USERTrust RSA Certification Authority & InCommon RSA Server CA are not being added to the chain. I'll have to jump into some meeting so most likely I'll get to this tomorrow.
OK with @tmaczukin latest patch in !1643 (2d8b7be4) we are getting closer we are now getting a chain with a length of 5 vs 6 in 12.3.0 but we have the following issues:
One of the chains seems out of order when compared to 12.3
subject= /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA I missing from the chain completely where it should be 2nd position (start from top)
subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority is in the wrong order. In our patch, it's 4th position after, whilst in 12.3.0 it's in 4th position. This might seem right, but remember we have 1 cert missing in the 12.4.0 patch so it's in the wrong place.
subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority is in the wrong order. In our patch, it's 3rd position whilst in 12.3.0 it's in 4th position
As for the ordering of certificates in the created file: this should be not important. It's used just as a store of the certificates. The program/library that does the verification should itself restore the graph of certificates and check their integrity by loading the certificates from the given store. In fact, it's the new chain that have the certificates ordered from leaf to root
And indeed we're missing one certificate, but from what I can see both chains are completed and are ended with a self-signed one:
Chain for `12.3.0`
---Subject: CN=*.cs.washington.edu,OU=UW-IT,O=University of Washington,POSTALCODE=98195,STREET=4545 15th Ave NE,L=Seattle,ST=WA,C=USIssuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=USValid: from 2018-03-20 00:00:00 +0000 UTC to 2020-03-19 23:59:59 +0000 UTCIssuer URLs: [http://crt.usertrust.com/InCommonRSAServerCA_2.crt]SelfSigned: false---Subject: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=USIssuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USValid: from 2014-10-06 00:00:00 +0000 UTC to 2024-10-05 23:59:59 +0000 UTCIssuer URLs: [http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt]SelfSigned: false---Subject: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=USIssuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USValid: from 2014-09-19 00:00:00 +0000 UTC to 2024-09-18 23:59:59 +0000 UTCIssuer URLs: [http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt]SelfSigned: false---Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USIssuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SEValid: from 2000-05-30 10:48:38 +0000 UTC to 2020-05-30 10:48:38 +0000 UTCIssuer URLs: []SelfSigned: false---Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USIssuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USValid: from 2010-02-01 00:00:00 +0000 UTC to 2038-01-18 23:59:59 +0000 UTCIssuer URLs: []SelfSigned: true---Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SEIssuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SEValid: from 2000-05-30 10:48:38 +0000 UTC to 2020-05-30 10:48:38 +0000 UTCIssuer URLs: []SelfSigned: true
@steveazz's chain for 12.3.0*.cs.washington.edu -> InCommon RSA Server CA -> USERTrust RSA Certification Authority -> AddTrust External CA Root (ROOT) -> .@steveazz's chain for 12.4.0 from !1643*.cs.washington.edu -> InCommon RSA Server CA -> USERTrust RSA Certification Authority -> AddTrust External CA Root (ROOT) -> .@steveazz's chain for 12.4.0 from !1643 with first intermediate removedUSERTrust RSA Certification Authority -> AddTrust External CA Root (ROOT) -> .@steveazz's chain for 12.4.0 from !1643 with last certificate (one of the ROOT ones) removed*.cs.washington.edu -> InCommon RSA Server CA -> USERTrust RSA Certification Authority (ROOT) -> .@steveazz's chain for 12.4.0 from !1643 with all ROOT certificates removed*.cs.washington.edu -> InCommon RSA Server CA -> .@mechanicjay's 12.3.0 chain*.cs.washington.edu -> InCommon RSA Server CA -> USERTrust RSA Certification Authority -> AddTrust External CA Root (ROOT) -> .@mechanicjay's 12.4.0 chain*.cs.washington.edu -> InCommon RSA Server CA -> .@mechanicjay's 12.4.0_beta (first fix) chain*.cs.washington.edu -> InCommon RSA Server CA -> .
So the integrity of the chain from !1643 (merged) is the same as for the 12.3.0 version - from the server certificate to one of the Root ones. This should be enough for Git to start working properly. The question is, is the chain created in the same way on the target environment where the problem was reported. @mechanicjay we'd really appreciate if you could test the new patched version and say if it works for you :)
Hello, I was also having a trouble with Runner 12.4.0 and I downloaded the one you mentioned above. But now this error appears in my pipeline:
Pulling docker image gitlab/gitlab-runner-helper:x86_64-2d8b7be4 ... ERROR: Job failed: Error response from daemon: manifest for gitlab/gitlab-runner-helper:x86_64-2d8b7be4 not found: manifest unknown: manifest unknown (executor_docker.go:188:1s)
Running with gitlab-runner 12.5.0~beta.1990.g2d8b7be4 (2d8b7be4) on docker-openjdk8 JbsrjK9dUsing Docker executor with image openjdk:8-slim ...Authenticating with credentials from /root/.docker/config.jsonPulling docker image openjdk:8-slim ...Using docker image sha256:971671e78456acbc3a2226534e382ebd2b2cb07d8c4fabcbe5a72aa3b6021c77 for openjdk:8-slim ...Authenticating with credentials from /root/.docker/config.jsonRunning on runner-JbsrjK9d-project-78-concurrent-0 via teahut.net...Authenticating with credentials from /root/.docker/config.json$ cat $CI_SERVER_TLS_CA_FILE-----BEGIN CERTIFICATE-----MIIGkzCCBXugAwIBAgISA5sIe7engYpYyAC8q1eKR/+BMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTEwMjEyMzEzMzJaFw0yMDAxMTkyMzEzMzJaMBUxEzARBgNVBAMTCnRlYWh1dC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwUii9vflY2gT2oMMqF5d+yCdUgzPTQzDgqrf5ayqaJa1qryMb1Kh3s+rERsjvIQNeVDnOSn2wkrQKFZJwI7ifqRhX7Sbzv00Qq7ZEMfNlTZBCe7lyLSsclKDZro3eF8OLLoSrx2D4fLaiHQG8cN6zBMcq57dkHpeU5zybTgvOdK0UHkK8i//Ja3ulNRt3ylHEwuzGfBEx2E9Ei7Y+AkLN4o59m+PL5dwkWkL7I04coyVKRGKgNhTaEk+yqLhihe+CRhML575FIp5mU4TKa9d+nfRFXtDU76L8nVtcPWF3cKNaBEIdH+zzdBv4+FmmAVfFdooOd/gLy5JJj7o5EBfbMBje9Nr7k6pzRNTQwsZ6o17Zh30nUJGkkkyqqA5WaqZucfUj5Nw8YC04iQztZ0HCE2l5BlV2hYQJ16WjnUkaBvZu3J8lW5U6rSf+7BnS5GbJ1EBmhFKYHoTBVY76N1sQB8BT63iXrJjRmjHdRqqOaHxiO4oWt3BU+/c+VsWr7BYH6k/fr1FRB3heAUXnnAcq7tN5XlYE3cAW600Al4beNg/gxgAVhmUVtY+W4xUkeDX3Sd4zx7NyijYmEGQMwe/z2Fy3F5vVBSxXGOxXq1C9ewA7iCzJYzhQ190SgwnjC47o06Z6ZGg6zLtDspuo2ggKOqsb6UIstiVZskU9oMfHHQIDAQABo4ICpjCCAqIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTXErQ3S5XsGiO+tBl6es5zghfCFjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMFwGA1UdEQRVMFOCEWdpdGxhYi50ZWFodXQubmV0gg9sZGFwLnRlYWh1dC5uZXSCEXJlcG9ydC50ZWFodXQubmV0ggp0ZWFodXQubmV0gg53d3cudGVhaHV0Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALIeBcyLos2KIE6HZvkruYolIGdr2vpw57JJUy3vi5BeAAABbfDPyxQAAAQDAEcwRQIga2gHXBAB1cq9BIqiHNqx7DMiof3PjBgD+hklCUiDU/gCIQC8ShigWuky0xkUsnU2i6dHb6fC4tnuipBszDMVRXAfKAB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABbfDPy0gAAAQDAEcwRQIgFNYllcOhMjKbzdYxtQC4opVs/lX05WoFFPA9jdpQR9kCIQDtHEOtq0BZKKgLpnCGZq9f//mA51mQGnaqj2t4WFxABTANBgkqhkiG9w0BAQsFAAOCAQEAcAzT3kmwL36sVSNh7kZ0w8MNDRY7zosLArO+fO0CGBxLShiyo0GUDqpk7+No5CdXkvXvtsb8zfZQ6FmvjiDzDznTEQGLl9iWC7KtXmX3Uw7ZjtuiQuQOuG8moZd2XlqHF0jtiLTdwwcjqQC+h8tYbZEKFsHtDbYhVXos9SStRGHKOcTeVzJRDEPRGAqu60F3ifU9oZt+vD+XiOiUQ60zFz5gsvfNVw8pAMQaj225ehEh6cQpglXVpOozXKn5l89dTOiAm1qnPwHSVnPf6t/Z/c+D410LXuo/qXlkNcZapPe1aClsmMn0GaNVoPy/fcSiaciQu9VTz5YCfvRVDbmJ8w==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ-----END CERTIFICATE-----Fetching changes...Initialized empty Git repository in /builds/liferay-portal/dxp-workspace/.git/Created fresh repository.
@tmaczukin FYI, the patched version also resolves a related problem we experienced with upgrading to gitlab-runner-linux-amd64 12.4.0 and self-signed certificates, when downloading artifacts.
The error we started getting with 12.4.0:
Downloading artifacts for website (9562)...ERROR: Downloading artifacts from coordinator... error couldn't execute GET against https://gitlab.xxx/api/v4/jobs/9562/artifacts: Get https://gitlab.xxx/api/v4/jobs/9562/artifacts: x509: certificate signed by unknown authority id=9562 token=7YxbG2zGWARNING: Retrying... error=invalid argumentERROR: Downloading artifacts from coordinator... error couldn't execute GET against https://gitlab.xxx/api/v4/jobs/9562/artifacts: Get https://gitlab.xxx/api/v4/jobs/9562/artifacts: x509: certificate signed by unknown authority id=9562 token=7YxbG2zGWARNING: Retrying... error=invalid argumentERROR: Downloading artifacts from coordinator... error couldn't execute GET against https://gitlab.xxx/api/v4/jobs/9562/artifacts: Get https://gitlab.xxx/api/v4/jobs/9562/artifacts: x509: certificate signed by unknown authority id=9562 token=7YxbG2zGFATAL: invalid argument ERROR: Job failed: exit code 1
https://gitlab.my.salesforce.com/0016100001PDYiM?srPos=0&srKp=001 Customer is impacted by this and caused numerous of their production pipelines are blocked. Suggested to follow back to their earlier Runner 12.3 but not able to due the nature of how they have setup things. @steveazz Where can I expect an official patch to be the official released ?
@bma we are working on the patch release in !1643 (merged) that should be merged today and a patch release prepare a few minutes after it's merged so expected v12.4.1 out today or tomorrow.
I'm reopening this until we release the patch release and some of your folks verify that it was fixed for you when upgrading to v12.4.1. This was closed by merging !1643 (merged)