I have a Gitlab instance running in docker on a dedicated private server (accessible only from within our vpc). We want to start doing CI using Gitlab runners so I spun up another server to host our runners.
Now that Gitlab-Runner has been configured, I try and register a runner with the private IP of the Gitlab server and the registration token
Enter the GitLab instance URL (for example, https://gitlab.com/):
$GITLAB_PRIVATE_IP
Enter the registration token:
$TOKEN
Enter a description for the runner:
[BEG-GITLAB-RUNNER]: default
Enter tags for the runner (comma-separated):
default
ERROR: Registering runner... failed runner=m616FJy- status=couldn't execute POST against https://$GITLAB_PRIVATE_IP/api/v4/runners: Post "https://$GITLAB_PRIVATE_IP/api/v4/runners": x509: certificate has expired or is not yet valid: current time 2022-02-06T20:00:35Z is after 2021-12-24T04:54:28Z
It looks like our certs have expired and to verify:
echo | openssl s_client -showcerts -connect $GITLAB_PRIVATE_IP:443 2>&1 | openssl x509 -noout -dates
notBefore=Nov 24 04:54:28 2021 GMT
notAfter=Dec 24 04:54:28 2021 GMT
Gitlab comes with let's encrypt so I decided to enable let's encrypt and cert autorenewal in gitlab rails, however when I try and reconfigure I get the error message:
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[$GITLAB_PRIVATE_IP] (letsencrypt::http_authorization line 6) had an error: Acme::Client::Error::RejectedIdentifier: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 41) had an error: Acme::Client::Error::RejectedIdentifier: Error creating new order :: Cannot issue for "$GITLAB_PRIVATE_IP": The ACME server can not issue a certificate for an IP address
So it looks like I can't use the let's encrypt option that packaged with gitlab to enable the renewal of certs.
How can I create/renew ssl certs on a private linux server without a domain?
If you've set up Gitlab + Runners on private servers, what does your rails configuration look like?
Is there a way to enable DNS on a private server for the sole purpose of a certificate authority granting certs?
I would suggest to use Self-signed certificate I have tested this before and its working fine but require some work. I will try to summarize some of the steps needed:
1- generate Self-signed certificate with the domain you choose and make sure to keep it in /etc/gitlab-runner/certs/
2- you need to add the domain and certs path in /etc/gitlab/gitlab.rb
3- reconfigure giltab
4- when connecting the runner make sure to manually copy and activate certs to the runner server .
I'm running on Windows. If I call this from command line:
curl https://dev.azure.com
It returns error:
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
This is important because sometimes I use curl to download files from Azure devops.
This was fixed by downloading IISCryptoCLI.exe from https://www.nartac.com/Products/IISCrypto and running:
IISCryptoCli.exe /template pci32 /reboot
(IISCryptoCli.exe /template best /reboot works too, but I wanted to disable TLS 1.0 and 1.1 by using pci32 instead.)
I have a server running on linux OS. Docker is installed along with a container on which gitlab is installed too. Everything is working fine. I intend to install and register a runner on a windows 10 to use through my CI CD process (the reason is that I have multiple projects in .NET needed to be complied and build during the deployment time therefore I have decided to place them on windows and by registering a runner in Shell could run a batch script file to build those projects).
When I am going to register the runner I am getting this error :
x509: certificate signed by unknown authority
which it has been explained how to solve it (gitlab doc) through creating a ssl self certificate.
after so much efforts I am still getting this error. I am a little bit new with ssl but I follow this way:
first I created a self certificate with this commad on my gitlab container:
https://docs.bitnami.com/aws/apps/gitlab/administration/create-ssl-certificate-nginx/
then, I use this file on windows to register the gitlab runner. But error is still thrown during registration.
When I use the following command on windows to verify the self certificate:
echo | openssl s_client -CAfile /etc/gitlab-runner/certs/gitlab-hostname.tld.crt -connect gitlab-hostname.tld:443
I run into this error in the last lines:
read R BLOCK
HTTP/1.1 400 Bad Request
Server: nginx
Date: Wed, 01 Jul 2020 07:58:52 GMT
Content-Type: text/html
Content-Length: 150
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>
read:errno=0
can anyone provide some steps in details to solve this problem? I was in searching for a right and applicable answer but no result was achieved yet.
PS: gitlab-runner x509: certificate signed by unknown authority did not fix my problem
I have a bunch of ARM based boxes that are stuck on puppet client v5. I've recently updated the server installation to v6 though. V6 clients are working ok.
When I attempt to pair a v5 client with the new server install I'm seeing this error:
Error: Could not request certificate: request https://v6server.org:8140//puppet-ca/v1/certificate_revocation_list/ca failed: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: v6server.org]
(Note the extra "/" after the port #. If I curl against the corrected URL (without the extra "/") I get the expected cert(s).
I've been digging through the puppet client ruby code to (so far) no avail.
Wondering if anyone else has encountered this issue.
While installing Composer to XAMPP, I got some errors. My system OS was Windows 7, how can I solve this and install Composer?
Download failed: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
file_get_contents(): Failed to enable crypto
file_get_contents(https://getcomposer.org/composer.phar.sig): failed to open stream: operation failed
Download failed: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
file_get_contents(): Failed to enable crypto
file_get_contents(https://getcomposer.org/composer.phar.sig): failed to open stream: operation failed
Make sure you configured the path to the ca certificates in php.ini:
curl.cainfo=/full/path/to/ssl/certs/ca-bundle.crt
openssl.cafile=/full/path/to/ssl/certs/ca-bundle.crt
In case you don't have a ca certificate bundle download it:
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
To install Composer (without using cURL):
php -r "readfile('https://getcomposer.org/installer');" | php
Or, to install Composer (with cURL):
curl -sS https://getcomposer.org/installer | php
(If that doesn't work out, simple download the Composer PHAR via your browser.
https://getcomposer.org/composer.phar
But, you will run into the issue again, when fetching packages, until you fix the certificate issue.)
That's exactly the same issue I'm facing. While installing the Composer Installer on my Windows 7 machine I'm getting the below error:
The "https://getcomposer.org/versions" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Tried this:
$ curl -sS https://getcomposer.org/installer | php
stdin is not a tty
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
And this:
$ ping getcomposer.org
Pinging getcomposer.org [87.98.253.108] with 32 bytes of data:
Reply from 87.98.253.108: bytes=32 time=137ms TTL=47
Reply from 87.98.253.108: bytes=32 time=127ms TTL=47
Reply from 87.98.253.108: bytes=32 time=127ms TTL=47
Reply from 87.98.253.108: bytes=32 time=127ms TTL=47
Ping statistics for 87.98.253.108:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 127ms, Maximum = 137ms, Average = 129ms
My PHP version is:
$ php -v
PHP 5.5.37 (cli) (built: Jun 22 2016 16:14:46)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies
I've enabled the following list in my php.ini:
extension=php_curl.dll
extension=php_openssl.dll
curl.cainfo="C:/xampp/php/extras/certs/cacert.pem"
openssl.cafile="C:/xampp/php/extras/certs/cacert.pem"
Where I've downloaded the cacert.pem from https://curl.haxx.se/ca/cacert.pem
I was missing to add the proxy settings while installation, when added it worked like charm! :)
http://username:password#your_proxy:your_port
I was having the same issue while changing php version on my Windows. Hope this could help someone.
php.ini didn't have right extensions and I just had to uncomment:
extension_dir = "ext"
extension=openssl
Check the php.ini of your php for me Im using ampps on mac and just changed it to:
curl.cainfo =/Applications/AMPPS/ca-bundle.crt
openssl.cafile =/Applications/AMPPS/ca-bundle.crt
After Updating php.ini, you need to restart your apache
You may download the ca-bundle.cer here https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt and rename as ca-bundle.crt.
check attached for your reference before and after updating php.ini