Skip to content

tls "certificate signed by unknown authority" error after Gitlab upgrade from 17 to 18

Description

After upgrading from Gitlab 17 to 18 one of our pipeline jobs creating a release stopped working.

No code change, release jobs were always successful before (latest 2h before) the upgrade and starting on the first job after (earliest 1h after) the upgrade they all failed.

It would seem that the content of the $ADDITIONAL_CA_CERT_BUNDLE variable is now lost in the release step. However, setting that variable as a CI variable overcomes the issue (temporary workaround).

P.S: when troubleshooting I was able to verify that the $ADDITIONAL_CA_CERT_BUNDLE variable had the proper content from within the script section of the job, but it's somehow either lost or unset in the release step.

Edit

The change in behaviour seems to be linked the change in this file: releaser.rb, which now explicitly refers to $ADDITIONAL_CA_CERT_BUNDLE to set the CA certificate.

tls error

tls: failed to verify certificate: x509: certificate signed by unknown authority

release step output

Executing "step_release" stage of the job script 00:01
$ if command -v glab &> /dev/null; then # collapsed multi-line command
A new version of glab has been released: v1.58.0 -> v1.68.0
https://gitlab.com/gitlab-org/cli/-/releases/v1.68.0
Setting CA certificate for gitlab.foo.com
• Creating or updating release repo=x_te/project/x_project tag=1.8.13
x release failed after 0.01 seconds. error=Get "https://gitlab.foo.com/api/v4/projects/x_te%2Fproject%2Fx_project/releases/1%2E8%2E13": tls: failed to verify certificate: x509: certificate signed by unknown authority

job

.create_release:
  extends: .before_script
  stage: release_and_changelog
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  variables:
    ADDITIONAL_CA_CERT_BUNDLE: foo-ca.pem
  needs:
    - job: prepare_release
      artifacts: true
  rules:
  - if: '$CI_COMMIT_TAG =~ /^\d+\.\d+\.\d+$/'
  script:
    - echo "Creating release"
  release:
    name: 'Release $CI_COMMIT_TAG'
    description: release_notes.md
    tag_name: '$CI_COMMIT_TAG'
    ref: '$CI_COMMIT_SHA
Edited by Donovan Rooks