Gitlab-runner fails with SSL certificate problem: unable to get issuer certificate
Summary
Runner fails with: SSL certificate problem: unable to get issuer certificate. Debugging version of 12.4.1 shows: "Certificate doesn't provide parent URL: exiting the loop"
Steps to reproduce
Using a Starfield Technologies certificate, and the https://ssl-ccp.secureserver.net/repository/sf_bundle-g2.crt bundle.
https://gitlab-runner-downloads.s3.amazonaws.com/add-verbose-logging-for-tls-chain-building/index.html used to extract the specific error.
Relevant logs and/or screenshots
Feb 06 14:35:59 vcs gitlab-runner[31635]: Checking for jobs... received job=1453 repo_url=https://xxxx/xxx.git runner=yGD5f4Ru
Feb 06 14:35:59 vcs gitlab-runner[31635]: [cert verification] Processing the chain with ca_chain.Builder
Feb 06 14:35:59 vcs gitlab-runner[31635]: [cert verification] processing chain chain-leaf=[0xc4204a3b80]
Feb 06 14:35:59 vcs gitlab-runner[31635]: [cert verification] Requesting issure certificate issuer=Starfield Secure Certificate Authority - G2 issuerCertURL=[http://certificates.starfieldtech.com/repository/sfig2.crt] serial=x subject=xx
Feb 06 14:35:59 vcs gitlab-runner[31635]: [cert verification] Requesting issure certificate issuer=Starfield Secure Certificate Authority - G2 issuerCertURL=[http://certificates.starfieldtech.com/repository/sfig2.crt] serial=x subject=xx
Feb 06 14:35:59 vcs gitlab-runner[31635]: [cert verification] Requesting issure certificate - appending the certificate to the chain issuer=Starfield Secure Certificate Authority - G2 issuerCertURL=[http://certificates.starfieldtech.com/repository/sfig2.crt] newCert-issuer=Starfield Root Certificate Authority - G2 newCert-issuerCertURL=[] newCert-serial=7 newCert-subject=Starfield Secure Certificate Authority - G2 serial=x subject=xx
Feb 06 14:35:59 vcs gitlab-runner[31635]: [cert verification] Requesting issure certificate - appending the certificate to the chain issuer=Starfield Secure Certificate Authority - G2 issuerCertURL=[http://certificates.starfieldtech.com/repository/sfig2.crt] newCert-issuer=Starfield Root Certificate Authority - G2 newCert-issuerCertURL=[] newCert-serial=7 newCert-subject=Starfield Secure Certificate Authority - G2 serial=x subject=xx
Feb 06 14:36:00 vcs gitlab-runner[31635]: [cert verification] Certificate doesn't provide parent URL - exiting the loop issuer=Starfield Root Certificate Authority - G2 issuerCertURL=[] serial=7 subject=Starfield Secure Certificate Authority - G2
Feb 06 14:36:00 vcs gitlab-runner[31635]: [cert verification] Verifying certificate issuer=Starfield Root Certificate Authority - G2 issuerCertURL=[] serial=7 subject=Starfield Secure Certificate Authority - G2
Feb 06 14:36:00 vcs gitlab-runner[31635]: [cert verification] Certificate doesn't provide parent URL - exiting the loop issuer=Starfield Root Certificate Authority - G2 issuerCertURL=[] serial=7 subject=Starfield Secure Certificate Authority - G2
Feb 06 14:36:00 vcs gitlab-runner[31635]: [cert verification] Verifying certificate issuer=Starfield Root Certificate Authority - G2 issuerCertURL=[] serial=7 subject=Starfield Secure Certificate Authority - G2
Feb 06 14:36:00 vcs gitlab-runner[31635]: [cert verification] Adding cert from verify chain to the final chain issuer=Starfield Root Certificate Authority - G2 issuerCertURL=[] serial=7 subject=Starfield Secure Certificate Authority - G2
Feb 06 14:36:00 vcs gitlab-runner[31635]: [cert verification] Adding cert from verify chain to the final chain issuer=Starfield Root Certificate Authority - G2 issuerCertURL=[] serial=7 subject=Starfield Secure Certificate Authority - G2
Feb 06 14:36:11 vcs gitlab-runner[31635]: WARNING: Job failed: exit code 1 duration=10.602464336s job=1453 project=152 runner=yGD5f4Ru
Environment description
Self-hosted. No non-default config.toml settings. Using only Docker executors.
Used GitLab Runner version
runner 12.3.0 was the last version that worked. Every release since has had this error.
Edited by Kelly Cochran