Skip to content

Wrong order of installation of custom CA

Describe the bug

Wrong order of installation of custom CA

Expected behavior

Install ca-certificates package, then install Custom CA

Actual behavior

Install Custom CA (fails due to missing dir) -> then install ca-certificates (creates /etc/ssl/certs)

Logs and/or screenshots

$ # BEGSCRIPT # collapsed multi-line command
$ install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
main: line 260: /etc/ssl/certs/ca-certificates.crt: No such file or directory
main: line 264: /etc/ssl/cert.pem: No such file or directory
$ maybe_install_packages ca-certificates git openssh-client gpg gpg-agent
dpkg-query: package 'ca-certificates' is not installed and no information is available
dpkg-query: package 'git' is not installed and no information is available
dpkg-query: package 'openssh-client' is not installed and no information is available
dpkg-query: package 'gpg' is not installed and no information is available
dpkg-query: package 'gpg-agent' is not installed and no information is available
...
[3:29:35 PM] [semantic-release] › ✘  An error occurred while running semantic-release: ExecaError: Command failed with exit code 128: git ls-remote --heads 'https://gitlab-ci-token:[secure]@gitlab.my-domain.com/tbc/cdnko-defaults.git'
fatal: unable to access 'https://gitlab.my-domain.com/tbc/cdnko-defaults.git/': server certificate verification failed. CAfile: none CRLfile: none
    at getFinalError (file:///usr/local/lib/node_modules/semantic-release/node_modules/execa/lib/return/final-error.js:6:9)
    at makeError (file:///usr/local/lib/node_modules/semantic-release/node_modules/execa/lib/return/result.js:108:16)
    at getAsyncResult (file:///usr/local/lib/node_modules/semantic-release/node_modules/execa/lib/methods/main-async.js:167:4)
    at handlePromise (file:///usr/local/lib/node_modules/semantic-release/node_modules/execa/lib/methods/main-async.js:150:17)
    at async getBranches (file:///usr/local/lib/node_modules/semantic-release/lib/git.js:69:11)
    at async default (file:///usr/local/lib/node_modules/semantic-release/lib/branches/expand.js:6:23)
    at async default (file:///usr/local/lib/node_modules/semantic-release/lib/branches/index.js:14:26)
    at async run (file:///usr/local/lib/node_modules/semantic-release/index.js:68:22)
    at async Module.default (file:///usr/local/lib/node_modules/semantic-release/index.js:278:22)
    at async default (file:///usr/local/lib/node_modules/semantic-release/cli.js:55:5) {
  shortMessage: "Command failed with exit code 128: git ls-remote --heads 'https://gitlab-ci-token:[secure]@gitlab.my-domain.com/tbc/cdnko-defaults.git'",
  command: 'git ls-remote --heads https://gitlab-ci-token:[secure]@gitlab.my-domain.com/tbc/cdnko-defaults.git',
  escapedCommand: "git ls-remote --heads 'https://gitlab-ci-token:[secure]@gitlab.my-domain.com/tbc/cdnko-defaults.git'",
  cwd: '/builds/[secure]/0/tbc/cdnko-defaults',
  durationMs: 46.981559,
  failed: true,
  timedOut: [secure],
  isCanceled: [secure],
  isGracefullyCanceled: [secure],
  isTerminated: [secure],
  isMaxBuffer: [secure],
  isForcefullyTerminated: [secure],
  exitCode: 128,
  stdout: '',
  stderr: "fatal: unable to access 'https://gitlab.my-domain.com/tbc/cdnko-defaults.git/': server certificate verification failed. CAfile: none CRLfile: none",

Context & Configuration

The issue was reproduced using:

  • Version of the template: 3.11.4
  • GitLab server(s): self-managed Gitlab v17.4.2-ee

Overriding semantic-release job with right order will fix this issue.

semantic-release:
  before_script:
    - !reference [.semrel-scripts]
    # install git and OpenSSH
    - maybe_install_packages ca-certificates git openssh-client gpg gpg-agent
    - maybe_install_yq
    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
    - cd "${SEMREL_CONFIG_DIR}"
    - prepare_semantic_release
    - install_semantic_release_plugins