Gitlab-CI runner: ignore self-signed certificate

Etienne Gautier picture Etienne Gautier · Jun 9, 2017 · Viewed 34.9k times · Source
gitlab-ci-multi-runner register

gave me

couldn't execute POST against https://xxxx/ci/api/v1/runners/register.json:
Post https://xxxx/ci/api/v1/runners/register.json: 
x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs

Is there a way to disable certification validation?

I'm using Gitlab 8.13.1 and gitlab-ci-multi-runner 1.11.2.

Answer

liberforce picture liberforce · Nov 9, 2017

Based on Wassim's answer, and gitlab documentation about tls-self-signed and custom CA-signed certificates, here's to save some time if you're not the admin of the gitlab server but just of the server with the runners (and if the runner is run as root):

SERVER=gitlab.example.com
PORT=443
CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt

# Create the certificates hierarchy expected by gitlab
sudo mkdir -p $(dirname "$CERTIFICATE")

# Get the certificate in PEM format and store it
openssl s_client -connect ${SERVER}:${PORT} -showcerts </dev/null 2>/dev/null | sed -e '/-----BEGIN/,/-----END/!d' | sudo tee "$CERTIFICATE" >/dev/null

# Register your runner
gitlab-runner register --tls-ca-file="$CERTIFICATE" [your other options]

Update 1: CERTIFICATE must be an absolute path to the certificate file.

Update 2: it might still fail with custom CA-signed because of gitlab-runner bug #2675