duanfu9523
duanfu9523
2017-06-09 12:55
浏览 691
已采纳

Gitlab-CI运行程序:忽略自签名证书

gitlab-ci-multi-runner register

gave me

couldn't execute POST against https://xxxx/ci/api/v1/runners/register.json:
Post https://xxxx/ci/api/v1/runners/register.json: 
x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs

Is there a way to disable certification validation ?

I'm using Gitlab 8.13.1 and gitlab-ci-multi-runner 1.11.2.

图片转代码服务由CSDN问答提供 功能建议

  gitlab-ci-multi-runner注册
   
 \  n 

给我

 无法针对https://xxxx/ci/api/v1/runners/register.json执行POST:
发布https://  xxxx / ci / api / v1 / runners / register.json:
x509:无法验证xxxx的证书,因为它不包含任何IP SAN 
   
 
 

一种禁用证书验证的方法?

我正在使用Gitlab 8.13.1和gitlab-ci-multi-runner 1.11.2。

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

6条回答 默认 最新

  • dth8312
    dth8312 2017-11-09 16:13
    已采纳

    Based on Wassim's answer, and gitlab documentation about tls-self-signed and custom CA-signed certificates, here's to save some time if you're not the admin of the gitlab server but just of the server with the runners (and if the runner is run as root):

    SERVER=gitlab.example.com
    PORT=443
    CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt
    
    # Create the certificates hierarchy expected by gitlab
    sudo mkdir -p $(dirname "$CERTIFICATE")
    
    # Get the certificate in PEM format and store it
    openssl s_client -connect ${SERVER}:${PORT} -showcerts </dev/null 2>/dev/null | sed -e '/-----BEGIN/,/-----END/!d' | sudo tee "$CERTIFICATE" >/dev/null
    
    # Register your runner
    gitlab-runner register --tls-ca-file="$CERTIFICATE" [your other options]
    

    Update 1: the certificate needs to be an absolute path at the right location.

    Update 2: it might still fail with custom CA-signed because of gitlab bug #2675

    点赞 评论
  • doukun8944
    doukun8944 2017-06-09 13:11

    Currently there is no possibility to run the multi runner with an insecure ssl option.

    There is currently an open issue at GitLab about that.

    Still you should be able to get your certificate, make it a PEM file and give it to the runner command using --tls-ca-file

    To craft the PEM file use openssl.
    openssl x509 -in mycert.crt -out mycert.pem -outform PEM

    点赞 评论
  • doumen5087
    doumen5087 2017-06-10 16:28

    Ok I followed step by step this post http://moonlightbox.logdown.com/posts/2016/09/12/gitlab-ci-runner-register-x509-error and then it worked like a charm. To prevent dead link I copy the steps below:

    First edit ssl configuration on the GitLab server (not the runner)

    vim /etc/pki/tls/openssl.cnf
    
    [ v3_ca ]
    subjectAltName=IP:192.168.1.1 <---- Add this line. 192.168.1.1 is your GitLab server IP.
    

    Re-generate self-signed certificate

    cd /etc/gitlab/ssl
    sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/192.168.1.1.key -out /etc/gitlab/ssl/192.168.1.1.crt
    sudo openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
    sudo gitlab-ctl restart
    

    Copy the new CA to the GitLab CI runner

    scp /etc/gitlab/ssl/192.168.1.1.crt root@192.168.1.2:/etc/gitlab-runner/certs
    

    Thanks @Moon Light @Wassim Dhif

    点赞 评论
  • doulizhi1247
    doulizhi1247 2018-01-19 19:02

    In my case I got it working by adding the path to the .pem file as following:

    sudo gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem
    
    点赞 评论
  • dongyakui8675
    dongyakui8675 2018-03-07 07:07

    In my setup the following the following worked as well. It's just important that IP/Name used for creating certificate matches IP/Name used for registering the runner.

    gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem

    Furthermore, it could be necessary to add a line for hostname lookup to the runners config.toml file also (section [runners.docker]): extra_hosts = ["git.domain.com:192.168.99.100"] see also https://gitlab.com/gitlab-org/gitlab-runner/issues/2209

    In addition, there could be some network-trouble if for gitlab/gitlab-runner network-mode host is used, it has to be added to the config.toml as well, as it starts additional containers, which otherwise could have a problem to connect to the gitlab-host ((section [runners.docker]): network_mode="host"

    Finally, there might be an issue with the self-signed SSL-Cert (https://gitlab.com/gitlab-org/gitlab-runner/issues/2659). A dirty workaround is to add environment = ["GIT_SSL_NO_VERIFY=true"] to the [[runners]] section.

    点赞 评论
  • douzi7711
    douzi7711 2018-12-20 02:45

    The following steps worked in my environment. (Ubuntu)

    Download certificate
    I did not have access to the gitlab server. Therefore,

    1. Open https://some-host-gitlab.com in browser (I use chrome).
    2. View site information, usually a green lock in URL bar.
    3. Download/Export certificate by navigating to certificate information(chrome, firefox has this option)

    In gitlab-runner host

    1. Rename the downloaded certificate with .crt

      $ mv some-host-gitlab.com some-host-gitlab.com.crt

    2. Register the runner now with this file

      $ sudo gitlab-runner register --tls-ca-file /path/to/some-host-gitlab.com.crt

    I was able to register runner to a project.

    点赞 评论

相关推荐