Skip to content

Self-signed cert in gitlab gives: 509: certificate signed by unknown authority

Problem

Trying to create a release with with a self signed gitlab (13.2) repo and https://docs.gitlab.com/ce/ci/yaml/#release I get the following error:

time="2020-07-24T07:03:05Z" level=info msg="Creating Release..." cli=release-cli command=create name="Release 305cba77948feaa3a31ab5ef8d8b93ed49db48e3" project-id=24 ref=305cba77948feaa3a31ab5ef8d8b93ed49db48e3 server-url="https://gitlab..local" tag-name=v.. version=0.3.0 time="2020-07-24T07:03:05Z" level=fatal msg="failed to create release: failed to do request: Post https://gitlab.*.local/api/v4/projects/24/releases: x509: certificate signed by unknown authority" cli=release-cli version=0.3.0

ci code:

release_job:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  rules:
    - if: $CI_COMMIT_TAG
      when: never                                 # Do not run this job when a tag is created manually
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # Run this job when the default branch changes
  script:
    - echo 'running release_job'
  release:
     name: 'Release $CI_COMMIT_SHA'
     description: 'Created using the release-cli $EXTRA_DESCRIPTION' # $EXTRA_DESCRIPTION and the tag_name
     tag_name: 'v${MAJOR}.${MINOR}.${REVISION}'                      # variables must be defined elsewhere
     ref: '$CI_COMMIT_SHA'     

Workaround

Connect to your $CI_SERVER_HOST to obtain the certificate from the server and install in the Docker container's certficates

before_script:
    - apk --no-cache add openssl ca-certificates
    - mkdir -p /usr/local/share/ca-certificates/extra
    - openssl s_client -connect ${CI_SERVER_HOST}:${CI_SERVER_PORT} -servername ${CI_SERVER_HOST} -showcerts </dev/null 2>/dev/null | sed -e '/-----BEGIN/,/-----END/!d' | tee "/usr/local/share/ca-certificates/${CI_SERVER_HOST}.crt" >/dev/null
    - update-ca-certificates

Recommendation

(To be confirmed)

Define the SSL_CERT_FILE or SSL_CERT_DIR environment variables in your CI job, it requires having access to the custom certificate. The release-cli Docker image is alpine-based, those variables should be loaded.

Add variables to your release job:

release_job:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  variables:
    SSL_CERT_FILE: '/path/to/cert/file' # assuming the cert exists in your repo or it has been downloaded before
    SSL_CERT_DIR: '/path/to/cert/dir/'  # use this variable if you want to use more than one custom certificates
Edited by Jaime Martinez