How to make GitLab Runner in Docker see a custom CA Root certificate












4
















I have installed and configured:




  1. an on-premises GitLab Omnibus on ServerA running on HTTPS

  2. an on-premises GitLab-Runner installed as Docker Service in ServerB


ServerA certificate is generated by a custom CA Root



The Configuration



I've have put the CA Root Certificate on ServerB:



/srv/gitlab-runner/config/certs/ca.crt


Installed the Runner on ServerB as described in Run GitLab Runner in a container - Docker image installation and configuration:



docker run -d --name gitlab-runner --restart always 

           -v /srv/gitlab-runner/config:/etc/gitlab-runner 

           -v /var/run/docker.sock:/var/run/docker.sock 

           gitlab/gitlab-runner:latest


Registered the Runner as described in Registering Runners - One-line registration command:



docker run --rm -t -i 

            -v /srv/gitlab-runner/config:/etc/gitlab-runner 

           --name gitlab-docker-runner gitlab/gitlab-runner register 

           --non-interactive 

           --executor "docker" 

           --docker-image alpine:latest 

           --url "https://MY_PRIVATE_REPO_URL_HERE/" 

           --registration-token "MY_PRIVATE_TOKEN_HERE" 

           --description "MyDockerServer-Runner" 

           --tag-list "TAG_1,TAG_2,TAG_3" 

           --run-untagged 

           --locked="false"


This command gave the following output:




Updating CA certificates...

Runtime platform arch=amd64 os=linux pid=5 revision=cf91d5e1 version=11.4.2

Running in system-mode.



Registering runner... succeeded runner=8UtcUXCY

Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!




I checked with



$ docker exec -it gitlab-runner bash


and once in the container with



$ awk -v cmd='openssl x509 -noout -subject' '

/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt


and the custom CA root is correctly there.



The Problem



When running Gitlab-Runner from GitLab-CI, the pipeline fails miserably telling me that:




$ git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git




Cloning into 'My-Project.wiki'...




fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@ServerA/foo/bar/My-Project.wiki.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none




ERROR: Job failed: exit code 1




It does not recognize the Issuer (my custom CA Root), but according to The self-signed certificates or custom Certification Authorities, point n.1, it should out-of-the-box:




Default: GitLab Runner reads system certificate store and verifies the GitLab server against the CA’s stored in system.




I've then tried the solution from point n.3, editing 



/srv/gitlab-runner/config/config.toml:


and adding: 



[[runners]]

tls-ca-file = "/srv/gitlab-runner/config/certs/ca.crt"


But it still doesn't work.



How can I make Gitlab Runner read the CA Root certificate?






docker gitlab gitlab-ci gitlab-ci-runner root-certificate







share|improve this question





























    4
















    I have installed and configured:




    1. an on-premises GitLab Omnibus on ServerA running on HTTPS

    2. an on-premises GitLab-Runner installed as Docker Service in ServerB


    ServerA certificate is generated by a custom CA Root



    The Configuration



    I've have put the CA Root Certificate on ServerB:



    /srv/gitlab-runner/config/certs/ca.crt


    Installed the Runner on ServerB as described in Run GitLab Runner in a container - Docker image installation and configuration:



    docker run -d --name gitlab-runner --restart always 
    
           -v /srv/gitlab-runner/config:/etc/gitlab-runner 
    
           -v /var/run/docker.sock:/var/run/docker.sock 
    
           gitlab/gitlab-runner:latest


    Registered the Runner as described in Registering Runners - One-line registration command:



    docker run --rm -t -i 
    
            -v /srv/gitlab-runner/config:/etc/gitlab-runner 
    
           --name gitlab-docker-runner gitlab/gitlab-runner register 
    
           --non-interactive 
    
           --executor "docker" 
    
           --docker-image alpine:latest 
    
           --url "https://MY_PRIVATE_REPO_URL_HERE/" 
    
           --registration-token "MY_PRIVATE_TOKEN_HERE" 
    
           --description "MyDockerServer-Runner" 
    
           --tag-list "TAG_1,TAG_2,TAG_3" 
    
           --run-untagged 
    
           --locked="false"


    This command gave the following output:




    Updating CA certificates...

    Runtime platform arch=amd64 os=linux pid=5 revision=cf91d5e1 version=11.4.2

    Running in system-mode.



    Registering runner... succeeded runner=8UtcUXCY

    Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!




    I checked with



    $ docker exec -it gitlab-runner bash


    and once in the container with



    $ awk -v cmd='openssl x509 -noout -subject' '
    
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt


    and the custom CA root is correctly there.



    The Problem



    When running Gitlab-Runner from GitLab-CI, the pipeline fails miserably telling me that:




    $ git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git




    Cloning into 'My-Project.wiki'...




    fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@ServerA/foo/bar/My-Project.wiki.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none




    ERROR: Job failed: exit code 1




    It does not recognize the Issuer (my custom CA Root), but according to The self-signed certificates or custom Certification Authorities, point n.1, it should out-of-the-box:




    Default: GitLab Runner reads system certificate store and verifies the GitLab server against the CA’s stored in system.




    I've then tried the solution from point n.3, editing 



    /srv/gitlab-runner/config/config.toml:


    and adding: 



    [[runners]]
    
tls-ca-file = "/srv/gitlab-runner/config/certs/ca.crt"


    But it still doesn't work.



    How can I make Gitlab Runner read the CA Root certificate?






    docker gitlab gitlab-ci gitlab-ci-runner root-certificate







    share|improve this question



























      4












      4








      4


      2







      I have installed and configured:




      1. an on-premises GitLab Omnibus on ServerA running on HTTPS

      2. an on-premises GitLab-Runner installed as Docker Service in ServerB


      ServerA certificate is generated by a custom CA Root



      The Configuration



      I've have put the CA Root Certificate on ServerB:



      /srv/gitlab-runner/config/certs/ca.crt


      Installed the Runner on ServerB as described in Run GitLab Runner in a container - Docker image installation and configuration:



      docker run -d --name gitlab-runner --restart always 
      
           -v /srv/gitlab-runner/config:/etc/gitlab-runner 
      
           -v /var/run/docker.sock:/var/run/docker.sock 
      
           gitlab/gitlab-runner:latest


      Registered the Runner as described in Registering Runners - One-line registration command:



      docker run --rm -t -i 
      
            -v /srv/gitlab-runner/config:/etc/gitlab-runner 
      
           --name gitlab-docker-runner gitlab/gitlab-runner register 
      
           --non-interactive 
      
           --executor "docker" 
      
           --docker-image alpine:latest 
      
           --url "https://MY_PRIVATE_REPO_URL_HERE/" 
      
           --registration-token "MY_PRIVATE_TOKEN_HERE" 
      
           --description "MyDockerServer-Runner" 
      
           --tag-list "TAG_1,TAG_2,TAG_3" 
      
           --run-untagged 
      
           --locked="false"


      This command gave the following output:




      Updating CA certificates...

      Runtime platform arch=amd64 os=linux pid=5 revision=cf91d5e1 version=11.4.2

      Running in system-mode.



      Registering runner... succeeded runner=8UtcUXCY

      Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!




      I checked with



      $ docker exec -it gitlab-runner bash


      and once in the container with



      $ awk -v cmd='openssl x509 -noout -subject' '
      
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt


      and the custom CA root is correctly there.



      The Problem



      When running Gitlab-Runner from GitLab-CI, the pipeline fails miserably telling me that:




      $ git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git




      Cloning into 'My-Project.wiki'...




      fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@ServerA/foo/bar/My-Project.wiki.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none




      ERROR: Job failed: exit code 1




      It does not recognize the Issuer (my custom CA Root), but according to The self-signed certificates or custom Certification Authorities, point n.1, it should out-of-the-box:




      Default: GitLab Runner reads system certificate store and verifies the GitLab server against the CA’s stored in system.




      I've then tried the solution from point n.3, editing 



      /srv/gitlab-runner/config/config.toml:


      and adding: 



      [[runners]]
      
tls-ca-file = "/srv/gitlab-runner/config/certs/ca.crt"


      But it still doesn't work.



      How can I make Gitlab Runner read the CA Root certificate?






      docker gitlab gitlab-ci gitlab-ci-runner root-certificate







      share|improve this question

















      I have installed and configured:




      1. an on-premises GitLab Omnibus on ServerA running on HTTPS

      2. an on-premises GitLab-Runner installed as Docker Service in ServerB


      ServerA certificate is generated by a custom CA Root



      The Configuration



      I've have put the CA Root Certificate on ServerB:



      /srv/gitlab-runner/config/certs/ca.crt


      Installed the Runner on ServerB as described in Run GitLab Runner in a container - Docker image installation and configuration:



      docker run -d --name gitlab-runner --restart always 
      
           -v /srv/gitlab-runner/config:/etc/gitlab-runner 
      
           -v /var/run/docker.sock:/var/run/docker.sock 
      
           gitlab/gitlab-runner:latest


      Registered the Runner as described in Registering Runners - One-line registration command:



      docker run --rm -t -i 
      
            -v /srv/gitlab-runner/config:/etc/gitlab-runner 
      
           --name gitlab-docker-runner gitlab/gitlab-runner register 
      
           --non-interactive 
      
           --executor "docker" 
      
           --docker-image alpine:latest 
      
           --url "https://MY_PRIVATE_REPO_URL_HERE/" 
      
           --registration-token "MY_PRIVATE_TOKEN_HERE" 
      
           --description "MyDockerServer-Runner" 
      
           --tag-list "TAG_1,TAG_2,TAG_3" 
      
           --run-untagged 
      
           --locked="false"


      This command gave the following output:




      Updating CA certificates...

      Runtime platform arch=amd64 os=linux pid=5 revision=cf91d5e1 version=11.4.2

      Running in system-mode.



      Registering runner... succeeded runner=8UtcUXCY

      Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!




      I checked with



      $ docker exec -it gitlab-runner bash


      and once in the container with



      $ awk -v cmd='openssl x509 -noout -subject' '
      
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt


      and the custom CA root is correctly there.



      The Problem



      When running Gitlab-Runner from GitLab-CI, the pipeline fails miserably telling me that:




      $ git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git




      Cloning into 'My-Project.wiki'...




      fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@ServerA/foo/bar/My-Project.wiki.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none




      ERROR: Job failed: exit code 1




      It does not recognize the Issuer (my custom CA Root), but according to The self-signed certificates or custom Certification Authorities, point n.1, it should out-of-the-box:




      Default: GitLab Runner reads system certificate store and verifies the GitLab server against the CA’s stored in system.




      I've then tried the solution from point n.3, editing 



      /srv/gitlab-runner/config/config.toml:


      and adding: 



      [[runners]]
      
tls-ca-file = "/srv/gitlab-runner/config/certs/ca.crt"


      But it still doesn't work.



      How can I make Gitlab Runner read the CA Root certificate?






      docker gitlab gitlab-ci gitlab-ci-runner root-certificate




      docker gitlab gitlab-ci gitlab-ci-runner root-certificate






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 13 at 11:55

























      asked Nov 5 at 17:25









      Andrea Ligios

      39.7k1575169




      39.7k1575169
























          3 Answers
          3






          active

          oldest

          votes


















          3
















          While I've still not got why it doesn't work out-of-the-box, I've found the Egg of Columbus:



          Gitlab-Runner configuration:



          [[runners]]
          
  name = "MyDockerServer-Runner"
          
  url = "https://MY_PRIVATE_REPO_URL_HERE/"
          
  token = "MY_TOKEN_HERE"
          
  executor = "docker"
          
  ...
          
  [runners.docker]
          
    image = "ubuntu:latest"
          

          
  # The trick is the following:
          
    volumes = ["/cache","/srv/gitlab-runner/config:/etc/gitlab-runner"]
          
    ...


          Gitlab-ci.yml pipeline:



          MyJob:
          
    image: ubuntu:latest
          

          
    script:
          
      - awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
          
      - git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git
          
      - wget -O foo.png https://ServerA/foo/bar/foo.png 
          

          
    before_script:
          
      - apt-get update -y >/dev/null
          
      - apt-get install -y apt-utils dialog >/dev/null
          
      - apt-get install -y git >/dev/null
          
      - apt-get install -y wget >/dev/null
          

          
    # The trick is the following:
          
      - cp /etc/gitlab-runner/certs/ca.crt /usr/local/share/ca-certificates/ca.crt
          
      - update-ca-certificates


          That's it:




          • Mount the volume once (per Docker executor)

          • Update the CA certificates once (per job)


          And everything will work as expected: git clone, wget https, etc...



          A great workaround, until someone at GitLab will fix it or explain me where I'm wrong (be my guest!)






          share|improve this answer





























            1





            +50









            You have two options:



            Ignore SSL verification



            Put this at the top of your .gitlab-ci.yml:



            variables:
            
  GIT_SSL_NO_VERIFY: "1"


            Point GitLab-Runner to the proper certificate



            As outlined in the official documentation, you can use the tls-*-file options to setup your certificate, e.g.:



            [[runners]]
            
  ...
            
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
            
  [runners.docker]
            
  ...


            As the documentation states, "this file will be read every time when runner tries to access the GitLab server."



            Other options include tls-cert-file to define the certificate to be used if needed.






            share|improve this answer























            • @AndreaLigios check the logging output of the gitlab-runner process; maybe you could incorporate more information about your setup - which of the several methods of installing the runner did you chose, etc.
              – Philipp Ludwig
              Nov 8 at 11:58










            • You mean /srv/gitlab-runner/config/certs I guess. It's not working, in either way... this thing is driving me crazy. I can clearly see that the Gitlab-Runner installed as Docker Service is accepting the CA root and updating its certificates; logging it and checking, it's there. The problem is that the Runner spawned by GitLab-CI is not. My configuration is the default one for a containerized GitLab-Runner, if I make it print the CAs from gitlab-ci, the custom CA is not there :/
              – Andrea Ligios
              Nov 13 at 10:51










            • I've re-edited the question adding all the details and the links to the docs. tls-ca-file from your answer should be in [[runners]] section, not in [runners.docker] section, but it doesn't work the same :(
              – Andrea Ligios
              Nov 13 at 11:36










            • @AndreaLigios Yeah, I now think the certificate is only for the communication between the runner and gitlab for the jobs, but not for the git checkout - I guess you will have to live with GIT_SSL_NO_VERIFY or find a way to tell git about your certificate.
              – Philipp Ludwig
              Nov 13 at 11:42






            • 1




              Even if your solution didn't work, I've awarded your answer because you've spent some time on it and I hate wasting stuff. Enjoy.
              – Andrea Ligios
              Nov 20 at 17:19





















            0














            From the output you provided i think that the certificate might be OK but you are lacking the CRL file : server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none



            The CRL file is used to verify that even if the certificate is valid is hasn't been revoked by the CA owner. You shoudl then need to :



            1) Generate a CRL file based on your CA:



            openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl.pem


            source: https://blog.didierstevens.com/2013/05/08/howto-make-your-own-cert-and-revocation-list-with-openssl/



            2) Instruct the runner to use it : 



            [[runners]]
            
  ...
            
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
            
  crl-file = "/etc/gitlab-runner/ssl/ca.crl"


            3) Of course setting GIT_SSL_NO_VERIFY will work but you will be more sensitive to man-in-the-middle attacks






            share|improve this answer























            • Thank you for your answer, I'll try it ASAP (though I'm not convinced yet CRL is mandatory). As said in the other answer, according to the docs, tls-ca-file should stay in [[runners]] not in [runners.docker] :)
              – Andrea Ligios
              Nov 13 at 12:53










            • Also, why DER format for output? This says DER is not supported for certificates, so I guess it's not also for CRL: docs.gitlab.com/runner/configuration/tls-self-signed.html
              – Andrea Ligios
              Nov 13 at 12:56










            • @AndreaLigios I cut and pasted your config above. If the runners.docker section is not the right place to put the tls-ca-file please feel free to edit the question to avoid subsequent mistakes :-) I edited the answer accordingly
              – webofmars
              Nov 13 at 13:23












            • @AndreaLigios : you are right about DER format. I edited the answer accordingly
              – webofmars
              Nov 13 at 13:26










            • You copypasted the other answer, not my question. According to the docs it shoud be [[runners]] ... tls-ca-file = "" ... [docker.runners]. Check it out :)
              – Andrea Ligios
              Nov 13 at 13:36













            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53159258%2fhow-to-make-gitlab-runner-in-docker-see-a-custom-ca-root-certificate%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3
















            While I've still not got why it doesn't work out-of-the-box, I've found the Egg of Columbus:



            Gitlab-Runner configuration:



            [[runners]]
            
  name = "MyDockerServer-Runner"
            
  url = "https://MY_PRIVATE_REPO_URL_HERE/"
            
  token = "MY_TOKEN_HERE"
            
  executor = "docker"
            
  ...
            
  [runners.docker]
            
    image = "ubuntu:latest"
            

            
  # The trick is the following:
            
    volumes = ["/cache","/srv/gitlab-runner/config:/etc/gitlab-runner"]
            
    ...


            Gitlab-ci.yml pipeline:



            MyJob:
            
    image: ubuntu:latest
            

            
    script:
            
      - awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
            
      - git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git
            
      - wget -O foo.png https://ServerA/foo/bar/foo.png 
            

            
    before_script:
            
      - apt-get update -y >/dev/null
            
      - apt-get install -y apt-utils dialog >/dev/null
            
      - apt-get install -y git >/dev/null
            
      - apt-get install -y wget >/dev/null
            

            
    # The trick is the following:
            
      - cp /etc/gitlab-runner/certs/ca.crt /usr/local/share/ca-certificates/ca.crt
            
      - update-ca-certificates


            That's it:




            • Mount the volume once (per Docker executor)

            • Update the CA certificates once (per job)


            And everything will work as expected: git clone, wget https, etc...



            A great workaround, until someone at GitLab will fix it or explain me where I'm wrong (be my guest!)






            share|improve this answer


























              3
















              While I've still not got why it doesn't work out-of-the-box, I've found the Egg of Columbus:



              Gitlab-Runner configuration:



              [[runners]]
              
  name = "MyDockerServer-Runner"
              
  url = "https://MY_PRIVATE_REPO_URL_HERE/"
              
  token = "MY_TOKEN_HERE"
              
  executor = "docker"
              
  ...
              
  [runners.docker]
              
    image = "ubuntu:latest"
              

              
  # The trick is the following:
              
    volumes = ["/cache","/srv/gitlab-runner/config:/etc/gitlab-runner"]
              
    ...


              Gitlab-ci.yml pipeline:



              MyJob:
              
    image: ubuntu:latest
              

              
    script:
              
      - awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
              
      - git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git
              
      - wget -O foo.png https://ServerA/foo/bar/foo.png 
              

              
    before_script:
              
      - apt-get update -y >/dev/null
              
      - apt-get install -y apt-utils dialog >/dev/null
              
      - apt-get install -y git >/dev/null
              
      - apt-get install -y wget >/dev/null
              

              
    # The trick is the following:
              
      - cp /etc/gitlab-runner/certs/ca.crt /usr/local/share/ca-certificates/ca.crt
              
      - update-ca-certificates


              That's it:




              • Mount the volume once (per Docker executor)

              • Update the CA certificates once (per job)


              And everything will work as expected: git clone, wget https, etc...



              A great workaround, until someone at GitLab will fix it or explain me where I'm wrong (be my guest!)






              share|improve this answer
























                3












                3








                3








                While I've still not got why it doesn't work out-of-the-box, I've found the Egg of Columbus:



                Gitlab-Runner configuration:



                [[runners]]
                
  name = "MyDockerServer-Runner"
                
  url = "https://MY_PRIVATE_REPO_URL_HERE/"
                
  token = "MY_TOKEN_HERE"
                
  executor = "docker"
                
  ...
                
  [runners.docker]
                
    image = "ubuntu:latest"
                

                
  # The trick is the following:
                
    volumes = ["/cache","/srv/gitlab-runner/config:/etc/gitlab-runner"]
                
    ...


                Gitlab-ci.yml pipeline:



                MyJob:
                
    image: ubuntu:latest
                

                
    script:
                
      - awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
                
      - git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git
                
      - wget -O foo.png https://ServerA/foo/bar/foo.png 
                

                
    before_script:
                
      - apt-get update -y >/dev/null
                
      - apt-get install -y apt-utils dialog >/dev/null
                
      - apt-get install -y git >/dev/null
                
      - apt-get install -y wget >/dev/null
                

                
    # The trick is the following:
                
      - cp /etc/gitlab-runner/certs/ca.crt /usr/local/share/ca-certificates/ca.crt
                
      - update-ca-certificates


                That's it:




                • Mount the volume once (per Docker executor)

                • Update the CA certificates once (per job)


                And everything will work as expected: git clone, wget https, etc...



                A great workaround, until someone at GitLab will fix it or explain me where I'm wrong (be my guest!)






                share|improve this answer














                While I've still not got why it doesn't work out-of-the-box, I've found the Egg of Columbus:



                Gitlab-Runner configuration:



                [[runners]]
                
  name = "MyDockerServer-Runner"
                
  url = "https://MY_PRIVATE_REPO_URL_HERE/"
                
  token = "MY_TOKEN_HERE"
                
  executor = "docker"
                
  ...
                
  [runners.docker]
                
    image = "ubuntu:latest"
                

                
  # The trick is the following:
                
    volumes = ["/cache","/srv/gitlab-runner/config:/etc/gitlab-runner"]
                
    ...


                Gitlab-ci.yml pipeline:



                MyJob:
                
    image: ubuntu:latest
                

                
    script:
                
      - awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
                
      - git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}@ServerA/foo/bar/My-Project.wiki.git
                
      - wget -O foo.png https://ServerA/foo/bar/foo.png 
                

                
    before_script:
                
      - apt-get update -y >/dev/null
                
      - apt-get install -y apt-utils dialog >/dev/null
                
      - apt-get install -y git >/dev/null
                
      - apt-get install -y wget >/dev/null
                

                
    # The trick is the following:
                
      - cp /etc/gitlab-runner/certs/ca.crt /usr/local/share/ca-certificates/ca.crt
                
      - update-ca-certificates


                That's it:




                • Mount the volume once (per Docker executor)

                • Update the CA certificates once (per job)


                And everything will work as expected: git clone, wget https, etc...



                A great workaround, until someone at GitLab will fix it or explain me where I'm wrong (be my guest!)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 20 at 10:54









                Andrea Ligios

                39.7k1575169




                39.7k1575169

























                    1





                    +50









                    You have two options:



                    Ignore SSL verification



                    Put this at the top of your .gitlab-ci.yml:



                    variables:
                    
  GIT_SSL_NO_VERIFY: "1"


                    Point GitLab-Runner to the proper certificate



                    As outlined in the official documentation, you can use the tls-*-file options to setup your certificate, e.g.:



                    [[runners]]
                    
  ...
                    
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
                    
  [runners.docker]
                    
  ...


                    As the documentation states, "this file will be read every time when runner tries to access the GitLab server."



                    Other options include tls-cert-file to define the certificate to be used if needed.






                    share|improve this answer























                    • @AndreaLigios check the logging output of the gitlab-runner process; maybe you could incorporate more information about your setup - which of the several methods of installing the runner did you chose, etc.
                      – Philipp Ludwig
                      Nov 8 at 11:58










                    • You mean /srv/gitlab-runner/config/certs I guess. It's not working, in either way... this thing is driving me crazy. I can clearly see that the Gitlab-Runner installed as Docker Service is accepting the CA root and updating its certificates; logging it and checking, it's there. The problem is that the Runner spawned by GitLab-CI is not. My configuration is the default one for a containerized GitLab-Runner, if I make it print the CAs from gitlab-ci, the custom CA is not there :/
                      – Andrea Ligios
                      Nov 13 at 10:51










                    • I've re-edited the question adding all the details and the links to the docs. tls-ca-file from your answer should be in [[runners]] section, not in [runners.docker] section, but it doesn't work the same :(
                      – Andrea Ligios
                      Nov 13 at 11:36










                    • @AndreaLigios Yeah, I now think the certificate is only for the communication between the runner and gitlab for the jobs, but not for the git checkout - I guess you will have to live with GIT_SSL_NO_VERIFY or find a way to tell git about your certificate.
                      – Philipp Ludwig
                      Nov 13 at 11:42






                    • 1




                      Even if your solution didn't work, I've awarded your answer because you've spent some time on it and I hate wasting stuff. Enjoy.
                      – Andrea Ligios
                      Nov 20 at 17:19


















                    1





                    +50









                    You have two options:



                    Ignore SSL verification



                    Put this at the top of your .gitlab-ci.yml:



                    variables:
                    
  GIT_SSL_NO_VERIFY: "1"


                    Point GitLab-Runner to the proper certificate



                    As outlined in the official documentation, you can use the tls-*-file options to setup your certificate, e.g.:



                    [[runners]]
                    
  ...
                    
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
                    
  [runners.docker]
                    
  ...


                    As the documentation states, "this file will be read every time when runner tries to access the GitLab server."



                    Other options include tls-cert-file to define the certificate to be used if needed.






                    share|improve this answer























                    • @AndreaLigios check the logging output of the gitlab-runner process; maybe you could incorporate more information about your setup - which of the several methods of installing the runner did you chose, etc.
                      – Philipp Ludwig
                      Nov 8 at 11:58










                    • You mean /srv/gitlab-runner/config/certs I guess. It's not working, in either way... this thing is driving me crazy. I can clearly see that the Gitlab-Runner installed as Docker Service is accepting the CA root and updating its certificates; logging it and checking, it's there. The problem is that the Runner spawned by GitLab-CI is not. My configuration is the default one for a containerized GitLab-Runner, if I make it print the CAs from gitlab-ci, the custom CA is not there :/
                      – Andrea Ligios
                      Nov 13 at 10:51










                    • I've re-edited the question adding all the details and the links to the docs. tls-ca-file from your answer should be in [[runners]] section, not in [runners.docker] section, but it doesn't work the same :(
                      – Andrea Ligios
                      Nov 13 at 11:36










                    • @AndreaLigios Yeah, I now think the certificate is only for the communication between the runner and gitlab for the jobs, but not for the git checkout - I guess you will have to live with GIT_SSL_NO_VERIFY or find a way to tell git about your certificate.
                      – Philipp Ludwig
                      Nov 13 at 11:42






                    • 1




                      Even if your solution didn't work, I've awarded your answer because you've spent some time on it and I hate wasting stuff. Enjoy.
                      – Andrea Ligios
                      Nov 20 at 17:19
















                    1





                    +50







                    1





                    +50



                    1




                    +50




                    You have two options:



                    Ignore SSL verification



                    Put this at the top of your .gitlab-ci.yml:



                    variables:
                    
  GIT_SSL_NO_VERIFY: "1"


                    Point GitLab-Runner to the proper certificate



                    As outlined in the official documentation, you can use the tls-*-file options to setup your certificate, e.g.:



                    [[runners]]
                    
  ...
                    
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
                    
  [runners.docker]
                    
  ...


                    As the documentation states, "this file will be read every time when runner tries to access the GitLab server."



                    Other options include tls-cert-file to define the certificate to be used if needed.






                    share|improve this answer














                    You have two options:



                    Ignore SSL verification



                    Put this at the top of your .gitlab-ci.yml:



                    variables:
                    
  GIT_SSL_NO_VERIFY: "1"


                    Point GitLab-Runner to the proper certificate



                    As outlined in the official documentation, you can use the tls-*-file options to setup your certificate, e.g.:



                    [[runners]]
                    
  ...
                    
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
                    
  [runners.docker]
                    
  ...


                    As the documentation states, "this file will be read every time when runner tries to access the GitLab server."



                    Other options include tls-cert-file to define the certificate to be used if needed.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Nov 20 at 17:18









                    Andrea Ligios

                    39.7k1575169




                    39.7k1575169










                    answered Nov 7 at 14:23









                    Philipp Ludwig

                    1,137723




                    1,137723












                    • @AndreaLigios check the logging output of the gitlab-runner process; maybe you could incorporate more information about your setup - which of the several methods of installing the runner did you chose, etc.
                      – Philipp Ludwig
                      Nov 8 at 11:58










                    • You mean /srv/gitlab-runner/config/certs I guess. It's not working, in either way... this thing is driving me crazy. I can clearly see that the Gitlab-Runner installed as Docker Service is accepting the CA root and updating its certificates; logging it and checking, it's there. The problem is that the Runner spawned by GitLab-CI is not. My configuration is the default one for a containerized GitLab-Runner, if I make it print the CAs from gitlab-ci, the custom CA is not there :/
                      – Andrea Ligios
                      Nov 13 at 10:51










                    • I've re-edited the question adding all the details and the links to the docs. tls-ca-file from your answer should be in [[runners]] section, not in [runners.docker] section, but it doesn't work the same :(
                      – Andrea Ligios
                      Nov 13 at 11:36










                    • @AndreaLigios Yeah, I now think the certificate is only for the communication between the runner and gitlab for the jobs, but not for the git checkout - I guess you will have to live with GIT_SSL_NO_VERIFY or find a way to tell git about your certificate.
                      – Philipp Ludwig
                      Nov 13 at 11:42






                    • 1




                      Even if your solution didn't work, I've awarded your answer because you've spent some time on it and I hate wasting stuff. Enjoy.
                      – Andrea Ligios
                      Nov 20 at 17:19




















                    • @AndreaLigios check the logging output of the gitlab-runner process; maybe you could incorporate more information about your setup - which of the several methods of installing the runner did you chose, etc.
                      – Philipp Ludwig
                      Nov 8 at 11:58










                    • You mean /srv/gitlab-runner/config/certs I guess. It's not working, in either way... this thing is driving me crazy. I can clearly see that the Gitlab-Runner installed as Docker Service is accepting the CA root and updating its certificates; logging it and checking, it's there. The problem is that the Runner spawned by GitLab-CI is not. My configuration is the default one for a containerized GitLab-Runner, if I make it print the CAs from gitlab-ci, the custom CA is not there :/
                      – Andrea Ligios
                      Nov 13 at 10:51










                    • I've re-edited the question adding all the details and the links to the docs. tls-ca-file from your answer should be in [[runners]] section, not in [runners.docker] section, but it doesn't work the same :(
                      – Andrea Ligios
                      Nov 13 at 11:36










                    • @AndreaLigios Yeah, I now think the certificate is only for the communication between the runner and gitlab for the jobs, but not for the git checkout - I guess you will have to live with GIT_SSL_NO_VERIFY or find a way to tell git about your certificate.
                      – Philipp Ludwig
                      Nov 13 at 11:42






                    • 1




                      Even if your solution didn't work, I've awarded your answer because you've spent some time on it and I hate wasting stuff. Enjoy.
                      – Andrea Ligios
                      Nov 20 at 17:19


















                    @AndreaLigios check the logging output of the gitlab-runner process; maybe you could incorporate more information about your setup - which of the several methods of installing the runner did you chose, etc.
                    – Philipp Ludwig
                    Nov 8 at 11:58




                    @AndreaLigios check the logging output of the gitlab-runner process; maybe you could incorporate more information about your setup - which of the several methods of installing the runner did you chose, etc.
                    – Philipp Ludwig
                    Nov 8 at 11:58












                    You mean /srv/gitlab-runner/config/certs I guess. It's not working, in either way... this thing is driving me crazy. I can clearly see that the Gitlab-Runner installed as Docker Service is accepting the CA root and updating its certificates; logging it and checking, it's there. The problem is that the Runner spawned by GitLab-CI is not. My configuration is the default one for a containerized GitLab-Runner, if I make it print the CAs from gitlab-ci, the custom CA is not there :/
                    – Andrea Ligios
                    Nov 13 at 10:51




                    You mean /srv/gitlab-runner/config/certs I guess. It's not working, in either way... this thing is driving me crazy. I can clearly see that the Gitlab-Runner installed as Docker Service is accepting the CA root and updating its certificates; logging it and checking, it's there. The problem is that the Runner spawned by GitLab-CI is not. My configuration is the default one for a containerized GitLab-Runner, if I make it print the CAs from gitlab-ci, the custom CA is not there :/
                    – Andrea Ligios
                    Nov 13 at 10:51












                    I've re-edited the question adding all the details and the links to the docs. tls-ca-file from your answer should be in [[runners]] section, not in [runners.docker] section, but it doesn't work the same :(
                    – Andrea Ligios
                    Nov 13 at 11:36




                    I've re-edited the question adding all the details and the links to the docs. tls-ca-file from your answer should be in [[runners]] section, not in [runners.docker] section, but it doesn't work the same :(
                    – Andrea Ligios
                    Nov 13 at 11:36












                    @AndreaLigios Yeah, I now think the certificate is only for the communication between the runner and gitlab for the jobs, but not for the git checkout - I guess you will have to live with GIT_SSL_NO_VERIFY or find a way to tell git about your certificate.
                    – Philipp Ludwig
                    Nov 13 at 11:42




                    @AndreaLigios Yeah, I now think the certificate is only for the communication between the runner and gitlab for the jobs, but not for the git checkout - I guess you will have to live with GIT_SSL_NO_VERIFY or find a way to tell git about your certificate.
                    – Philipp Ludwig
                    Nov 13 at 11:42




                    1




                    1




                    Even if your solution didn't work, I've awarded your answer because you've spent some time on it and I hate wasting stuff. Enjoy.
                    – Andrea Ligios
                    Nov 20 at 17:19






                    Even if your solution didn't work, I've awarded your answer because you've spent some time on it and I hate wasting stuff. Enjoy.
                    – Andrea Ligios
                    Nov 20 at 17:19













                    0














                    From the output you provided i think that the certificate might be OK but you are lacking the CRL file : server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none



                    The CRL file is used to verify that even if the certificate is valid is hasn't been revoked by the CA owner. You shoudl then need to :



                    1) Generate a CRL file based on your CA:



                    openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl.pem


                    source: https://blog.didierstevens.com/2013/05/08/howto-make-your-own-cert-and-revocation-list-with-openssl/



                    2) Instruct the runner to use it : 



                    [[runners]]
                    
  ...
                    
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
                    
  crl-file = "/etc/gitlab-runner/ssl/ca.crl"


                    3) Of course setting GIT_SSL_NO_VERIFY will work but you will be more sensitive to man-in-the-middle attacks






                    share|improve this answer























                    • Thank you for your answer, I'll try it ASAP (though I'm not convinced yet CRL is mandatory). As said in the other answer, according to the docs, tls-ca-file should stay in [[runners]] not in [runners.docker] :)
                      – Andrea Ligios
                      Nov 13 at 12:53










                    • Also, why DER format for output? This says DER is not supported for certificates, so I guess it's not also for CRL: docs.gitlab.com/runner/configuration/tls-self-signed.html
                      – Andrea Ligios
                      Nov 13 at 12:56










                    • @AndreaLigios I cut and pasted your config above. If the runners.docker section is not the right place to put the tls-ca-file please feel free to edit the question to avoid subsequent mistakes :-) I edited the answer accordingly
                      – webofmars
                      Nov 13 at 13:23












                    • @AndreaLigios : you are right about DER format. I edited the answer accordingly
                      – webofmars
                      Nov 13 at 13:26










                    • You copypasted the other answer, not my question. According to the docs it shoud be [[runners]] ... tls-ca-file = "" ... [docker.runners]. Check it out :)
                      – Andrea Ligios
                      Nov 13 at 13:36


















                    0














                    From the output you provided i think that the certificate might be OK but you are lacking the CRL file : server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none



                    The CRL file is used to verify that even if the certificate is valid is hasn't been revoked by the CA owner. You shoudl then need to :



                    1) Generate a CRL file based on your CA:



                    openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl.pem


                    source: https://blog.didierstevens.com/2013/05/08/howto-make-your-own-cert-and-revocation-list-with-openssl/



                    2) Instruct the runner to use it : 



                    [[runners]]
                    
  ...
                    
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
                    
  crl-file = "/etc/gitlab-runner/ssl/ca.crl"


                    3) Of course setting GIT_SSL_NO_VERIFY will work but you will be more sensitive to man-in-the-middle attacks






                    share|improve this answer























                    • Thank you for your answer, I'll try it ASAP (though I'm not convinced yet CRL is mandatory). As said in the other answer, according to the docs, tls-ca-file should stay in [[runners]] not in [runners.docker] :)
                      – Andrea Ligios
                      Nov 13 at 12:53










                    • Also, why DER format for output? This says DER is not supported for certificates, so I guess it's not also for CRL: docs.gitlab.com/runner/configuration/tls-self-signed.html
                      – Andrea Ligios
                      Nov 13 at 12:56










                    • @AndreaLigios I cut and pasted your config above. If the runners.docker section is not the right place to put the tls-ca-file please feel free to edit the question to avoid subsequent mistakes :-) I edited the answer accordingly
                      – webofmars
                      Nov 13 at 13:23












                    • @AndreaLigios : you are right about DER format. I edited the answer accordingly
                      – webofmars
                      Nov 13 at 13:26










                    • You copypasted the other answer, not my question. According to the docs it shoud be [[runners]] ... tls-ca-file = "" ... [docker.runners]. Check it out :)
                      – Andrea Ligios
                      Nov 13 at 13:36
















                    0












                    0








                    0






                    From the output you provided i think that the certificate might be OK but you are lacking the CRL file : server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none



                    The CRL file is used to verify that even if the certificate is valid is hasn't been revoked by the CA owner. You shoudl then need to :



                    1) Generate a CRL file based on your CA:



                    openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl.pem


                    source: https://blog.didierstevens.com/2013/05/08/howto-make-your-own-cert-and-revocation-list-with-openssl/



                    2) Instruct the runner to use it : 



                    [[runners]]
                    
  ...
                    
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
                    
  crl-file = "/etc/gitlab-runner/ssl/ca.crl"


                    3) Of course setting GIT_SSL_NO_VERIFY will work but you will be more sensitive to man-in-the-middle attacks






                    share|improve this answer














                    From the output you provided i think that the certificate might be OK but you are lacking the CRL file : server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none



                    The CRL file is used to verify that even if the certificate is valid is hasn't been revoked by the CA owner. You shoudl then need to :



                    1) Generate a CRL file based on your CA:



                    openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl.pem


                    source: https://blog.didierstevens.com/2013/05/08/howto-make-your-own-cert-and-revocation-list-with-openssl/



                    2) Instruct the runner to use it : 



                    [[runners]]
                    
  ...
                    
  tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
                    
  crl-file = "/etc/gitlab-runner/ssl/ca.crl"


                    3) Of course setting GIT_SSL_NO_VERIFY will work but you will be more sensitive to man-in-the-middle attacks







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Nov 13 at 20:52

























                    answered Nov 13 at 11:55









                    webofmars

                    332111




                    332111












                    • Thank you for your answer, I'll try it ASAP (though I'm not convinced yet CRL is mandatory). As said in the other answer, according to the docs, tls-ca-file should stay in [[runners]] not in [runners.docker] :)
                      – Andrea Ligios
                      Nov 13 at 12:53










                    • Also, why DER format for output? This says DER is not supported for certificates, so I guess it's not also for CRL: docs.gitlab.com/runner/configuration/tls-self-signed.html
                      – Andrea Ligios
                      Nov 13 at 12:56










                    • @AndreaLigios I cut and pasted your config above. If the runners.docker section is not the right place to put the tls-ca-file please feel free to edit the question to avoid subsequent mistakes :-) I edited the answer accordingly
                      – webofmars
                      Nov 13 at 13:23












                    • @AndreaLigios : you are right about DER format. I edited the answer accordingly
                      – webofmars
                      Nov 13 at 13:26










                    • You copypasted the other answer, not my question. According to the docs it shoud be [[runners]] ... tls-ca-file = "" ... [docker.runners]. Check it out :)
                      – Andrea Ligios
                      Nov 13 at 13:36




















                    • Thank you for your answer, I'll try it ASAP (though I'm not convinced yet CRL is mandatory). As said in the other answer, according to the docs, tls-ca-file should stay in [[runners]] not in [runners.docker] :)
                      – Andrea Ligios
                      Nov 13 at 12:53










                    • Also, why DER format for output? This says DER is not supported for certificates, so I guess it's not also for CRL: docs.gitlab.com/runner/configuration/tls-self-signed.html
                      – Andrea Ligios
                      Nov 13 at 12:56










                    • @AndreaLigios I cut and pasted your config above. If the runners.docker section is not the right place to put the tls-ca-file please feel free to edit the question to avoid subsequent mistakes :-) I edited the answer accordingly
                      – webofmars
                      Nov 13 at 13:23












                    • @AndreaLigios : you are right about DER format. I edited the answer accordingly
                      – webofmars
                      Nov 13 at 13:26










                    • You copypasted the other answer, not my question. According to the docs it shoud be [[runners]] ... tls-ca-file = "" ... [docker.runners]. Check it out :)
                      – Andrea Ligios
                      Nov 13 at 13:36


















                    Thank you for your answer, I'll try it ASAP (though I'm not convinced yet CRL is mandatory). As said in the other answer, according to the docs, tls-ca-file should stay in [[runners]] not in [runners.docker] :)
                    – Andrea Ligios
                    Nov 13 at 12:53




                    Thank you for your answer, I'll try it ASAP (though I'm not convinced yet CRL is mandatory). As said in the other answer, according to the docs, tls-ca-file should stay in [[runners]] not in [runners.docker] :)
                    – Andrea Ligios
                    Nov 13 at 12:53












                    Also, why DER format for output? This says DER is not supported for certificates, so I guess it's not also for CRL: docs.gitlab.com/runner/configuration/tls-self-signed.html
                    – Andrea Ligios
                    Nov 13 at 12:56




                    Also, why DER format for output? This says DER is not supported for certificates, so I guess it's not also for CRL: docs.gitlab.com/runner/configuration/tls-self-signed.html
                    – Andrea Ligios
                    Nov 13 at 12:56












                    @AndreaLigios I cut and pasted your config above. If the runners.docker section is not the right place to put the tls-ca-file please feel free to edit the question to avoid subsequent mistakes :-) I edited the answer accordingly
                    – webofmars
                    Nov 13 at 13:23






                    @AndreaLigios I cut and pasted your config above. If the runners.docker section is not the right place to put the tls-ca-file please feel free to edit the question to avoid subsequent mistakes :-) I edited the answer accordingly
                    – webofmars
                    Nov 13 at 13:23














                    @AndreaLigios : you are right about DER format. I edited the answer accordingly
                    – webofmars
                    Nov 13 at 13:26




                    @AndreaLigios : you are right about DER format. I edited the answer accordingly
                    – webofmars
                    Nov 13 at 13:26












                    You copypasted the other answer, not my question. According to the docs it shoud be [[runners]] ... tls-ca-file = "" ... [docker.runners]. Check it out :)
                    – Andrea Ligios
                    Nov 13 at 13:36






                    You copypasted the other answer, not my question. According to the docs it shoud be [[runners]] ... tls-ca-file = "" ... [docker.runners]. Check it out :)
                    – Andrea Ligios
                    Nov 13 at 13:36




















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53159258%2fhow-to-make-gitlab-runner-in-docker-see-a-custom-ca-root-certificate%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Create new schema in PostgreSQL using DBeaver

                    Image
                    0 At the beginning of my current job I had limited access to DB but recently my role is changed to superuser, admin, and owner. My colleague who was the previous DB admin is able to create a schema or change the permissions as there is a permission tab in the properties and he can change permissions by clicking easily. Would you please let me know how I can create schema and change permissions as well? Why his dbeaver looks different from me? He can easily right click on the schema folder on top of all schemas on the left side column and select create new schema while I do not have that, like the following picture I found on the internet. postgresql database-schema dbeaver share | improve this question
                    Read more

                    Deepest pit of an array with Javascript: test on Codility

                    Image
                    0 $begingroup$ This is the question from a Codility test, as a task in an interview: DeepestPit - problem description A non-empty zero-indexed array A consisting of N integers is given. A pit in this array is any triplet of integers (P, Q, R) such that: ·         0 ≤ P < Q < R < N; ·         sequence [A[P], A[P+1], ..., A[Q]] is strictly decreasing, i.e. A[P] > A[P+1] > ... > A[Q]; ·         sequence A[Q], A[Q+1], ..., A[R] is strictly increasing, i.e. A[Q] < A[Q+1] < ... < A[R]. The depth of a pit (P, Q, R) is the number min {A[P] − A[Q], A[R] − A[Q]}. For example, consider array A consisting of 10 elements such that: A[0] = 0 A[1] = 1 A[2] = 3 A[3] = -2 A[4] = 0 A[5] = 1 A[6] = 0 A[7] = -3 A[8] = 2 A[9] = 3 Triplet (2, 3, 4) is
                    Read more

                    Costa Masnaga

                    Image
                    .mw-parser-output .avviso .mbox-text-div>div,.mw-parser-output .avviso .mbox-text-full-div>div{font-size:90%}.mw-parser-output .avviso .mbox-image div{width:52px}.mw-parser-output .avviso .mbox-text-full-div .hide-when-compact{display:block} Questa voce o sezione sull'argomento Lombardia non cita le fonti necessarie o quelle presenti sono insufficienti . Puoi migliorare questa voce aggiungendo citazioni da fonti attendibili secondo le linee guida sull'uso delle fonti. Segui i suggerimenti del progetto di riferimento. Costa Masnaga comune Localizzazione Stato   Italia Regione Lombardia Provincia Lecco Amministrazione Sindaco Sabina Panzeri (Al centro il cittadino) dall'08/06/2009 Territorio Coordinate 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Coordinate: 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Altitudine 318 m s.l.m
                    Read more