I have a server running on linux OS. Docker is installed along with a container on which gitlab is installed too. Everything is working fine. I intend to install and register a runner on a windows 10 to use through my CI CD process (the reason is that I have multiple projects in .NET needed to be complied and build during the deployment time therefore I have decided to place them on windows and by registering a runner in Shell could run a batch script file to build those projects).
When I am going to register the runner I am getting this error :
x509: certificate signed by unknown authority
which it has been explained how to solve it (gitlab doc) through creating a ssl self certificate.
after so much efforts I am still getting this error. I am a little bit new with ssl but I follow this way:
first I created a self certificate with this commad on my gitlab container:
https://docs.bitnami.com/aws/apps/gitlab/administration/create-ssl-certificate-nginx/
then, I use this file on windows to register the gitlab runner. But error is still thrown during registration.
When I use the following command on windows to verify the self certificate:
echo | openssl s_client -CAfile /etc/gitlab-runner/certs/gitlab-hostname.tld.crt -connect gitlab-hostname.tld:443
I run into this error in the last lines:
read R BLOCK
HTTP/1.1 400 Bad Request
Server: nginx
Date: Wed, 01 Jul 2020 07:58:52 GMT
Content-Type: text/html
Content-Length: 150
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>
read:errno=0
can anyone provide some steps in details to solve this problem? I was in searching for a right and applicable answer but no result was achieved yet.
PS: gitlab-runner x509: certificate signed by unknown authority did not fix my problem
Related
I have a Gitlab instance running in docker on a dedicated private server (accessible only from within our vpc). We want to start doing CI using Gitlab runners so I spun up another server to host our runners.
Now that Gitlab-Runner has been configured, I try and register a runner with the private IP of the Gitlab server and the registration token
Enter the GitLab instance URL (for example, https://gitlab.com/):
$GITLAB_PRIVATE_IP
Enter the registration token:
$TOKEN
Enter a description for the runner:
[BEG-GITLAB-RUNNER]: default
Enter tags for the runner (comma-separated):
default
ERROR: Registering runner... failed runner=m616FJy- status=couldn't execute POST against https://$GITLAB_PRIVATE_IP/api/v4/runners: Post "https://$GITLAB_PRIVATE_IP/api/v4/runners": x509: certificate has expired or is not yet valid: current time 2022-02-06T20:00:35Z is after 2021-12-24T04:54:28Z
It looks like our certs have expired and to verify:
echo | openssl s_client -showcerts -connect $GITLAB_PRIVATE_IP:443 2>&1 | openssl x509 -noout -dates
notBefore=Nov 24 04:54:28 2021 GMT
notAfter=Dec 24 04:54:28 2021 GMT
Gitlab comes with let's encrypt so I decided to enable let's encrypt and cert autorenewal in gitlab rails, however when I try and reconfigure I get the error message:
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[$GITLAB_PRIVATE_IP] (letsencrypt::http_authorization line 6) had an error: Acme::Client::Error::RejectedIdentifier: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 41) had an error: Acme::Client::Error::RejectedIdentifier: Error creating new order :: Cannot issue for "$GITLAB_PRIVATE_IP": The ACME server can not issue a certificate for an IP address
So it looks like I can't use the let's encrypt option that packaged with gitlab to enable the renewal of certs.
How can I create/renew ssl certs on a private linux server without a domain?
If you've set up Gitlab + Runners on private servers, what does your rails configuration look like?
Is there a way to enable DNS on a private server for the sole purpose of a certificate authority granting certs?
I would suggest to use Self-signed certificate I have tested this before and its working fine but require some work. I will try to summarize some of the steps needed:
1- generate Self-signed certificate with the domain you choose and make sure to keep it in /etc/gitlab-runner/certs/
2- you need to add the domain and certs path in /etc/gitlab/gitlab.rb
3- reconfigure giltab
4- when connecting the runner make sure to manually copy and activate certs to the runner server .
I'm trying to use curl to access a URL of an app we've developed internally, and on the server I'm seeing
http: TLS handshake error from 1.2.3.4 remote error: tls: unknown certificate authority.
This only happens when we hit the endpoint using curl (inside git bash ) or wget. When we use IE on Windows it works just fine. I've even tried re-installing git bash using Native SSL library (which should be the same as IE), but still getting the same error message.
Have even tried downloading the curl-ca-bundle.crt file and saving to the same place as the curl binary, or even directly telling it to use this file with curl --cacert option, but still no joy.
I've compared the root certs that IE is reporting, and the ones in that curl-ca-bundle.crt and they look the same (they don't line up exactly the same, but they have the same text in them between the BEGIN and END markers, one is just wider on the screen and therefore uses fewer lines if that makes sense).
Hopefully someone has ideas what to try next as two of us have been tearing our hair out all afternoon with this.
wget also gives an error message :-
$ wget https://bler.com/admin/user
--2018-09-03 15:53:43-- https://bler.com/admin/user
Connecting to 132.146.1.142:8090... connected.
ERROR: cannot verify oss.dns.networks.bt.com's certificate, issued by 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US':
Unable to locally verify the issuer's authority.
To connect to oss.dns.networks.bt.com insecurely, use '--no-check-certificate'.
We're using a local proxy server, and HTTP_PROXY is set. It must be using the proxy, as we can see we're hitting the end point.
I also had the same error. This problem occurs when you install on Golang web server the only certificate. You must use a certificate chain instead.
For example, Letsencrypt gives "cert.pem" and "fullchain.pem". "cert.pem" works in browsers, but curl cannot work with this file (curl: (60) SSL certificate problem: unable to get local issuer certificate). "fullchain.pem" works fine in browsers and curl.
I have one chef-server version 12.0.1 and can connect linux (rhel/centos) systems to the chef-server with knife bootstrap but cannot with windows and locally on my rhel client knife ssl check fails.
I have two problems but I think they are both related.
Problem 1 - knife ssl check fails:
Connecting to host chef-server:443
ERROR: The SSL certificate of chef-server could not be verified
Problem 2 - bootstrap windows server fails:
ERROR: SSL Validation failure connecting to host: chef-server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Chef encountered an error attempting to create the client "desktop"
I have tried a number of things:
1) knife ssl fetch - no changes
2) I have a signed digicert crt on the server which is accepted by the management-console and chrome web browser
3) I have changed set this in the chef-server.rb
nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/hostname.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/hostname.key"
which go to the signed certs.
Anything else I should be trying or am I being a plank?
Try running these commands on your Chef server:
mkdir /root/.chef/trusted_certs
cp /var/opt/chef-server/nginx/ca/YOUR_SERVER'S_HOSTNAME.crt /root/.chef/trusted_certs/
I was having the same problem and it was fixed after I looked through this article, and tried out the steps it gave: http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/
I was having the same issue using a valid wildcard certificate, although it was linux rather than windows. Looks like the issue is that the chef client uses openssl and didn't have the CA and root certificates. I was getting errors when I ran the following from the chef client server:
openssl s_client -connect chef_server_url*:443 -showcerts
I solved my issue by browsing to the chef server, inspecting the certs and exporting each cert in the chain to a single file, ordered with the issued certificate at the top, and the root at the bottom. I then used this bundled-cert as the certificate file in the chef server config file and reconfigured chef.
Our production (Heroku) and development (local) instances have been working when accessing a https endpoint. However, within the past 2 days, we started getting the dreaded OpenSSL error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I've read through a lot of OpenSSL failed posts on StackOverflow and http://railsapps.github.io/openssl-certificate-verify-failed.html.
I have updated to the latest OpenSSL and confirmed it by running the following:
ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'
"OpenSSL 1.0.1e 11 Feb 2013"
However, I'm still getting this error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
when I call hash = JSON.parse(open(_url).read) where the _url points to a https endpoint.
I don't seem to have problems accessing some providers. For example, when I issue: curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem, it seems to work.
I also tried this in irb and it seems to work:
require 'open-uri'
open 'https://google.com'
=> #<File:/var/folders/dv/s_2dq32n0ggcn65kn61jtmc80000gn/T/open-uri20130630-887-y2cg2q>
Is this something the endpoint provider needs to fix or something with my local and production implementation of OpenSSL?
A certificate verification failure indicates that your Ruby instance was unable to find a way to chain the endpoint's certificate up to a trusted root that it is aware of. This can be a few different things:
The endpoint may have changed certificate providers and their new source is not in the default trust tore.
The endpoint may not have the proper intermediates installed.
The endpoint may have an untrusted certificate on it.
To narrow it down you can try loading the endpoint via a web browser. Do you get an untrusted error then? If so, time to contact your provider. If not, you'll need to look at the certificate and see what root it's using. Then you'll want to add that to the Ruby list of trusted certs (which is sourced differently depending on how you compiled it and on what platform).
I am planning to make an app whose data source is from an excel file.
So basically the desire outcome would be to make my app data in sync with the excel file.
I searched and found libxls and this seems to be a solution?
I downloaded the DHlibxls which is for xCode but have no success in running the provided test file.
Whenever I tried running I got the following error:
Error validating server certificate for
'https://libxls.svn.sourceforge.net:443':
- The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate
information:
- Hostname: *.svn.sourceforge.net
- Valid: from Sat, 25 Feb 2012 23:58:41 GMT until Sun, 31 Mar 2013 19:51:44 GMT
- Issuer: GeoTrust, Inc., US
- Fingerprint: 0b:11:76:de:db:4c:74:72:cb:01:49:7d:13:70:c2:f1:13:7b:cb:bf (R)eject,
accept (t)emporarily or accept (p)ermanently? svn: OPTIONS of
'https://libxls.svn.sourceforge.net/svnroot/libxls/trunk/libxls':
Server certificate verification failed: issuer is not trusted
(https://libxls.svn.sourceforge.net) Command /bin/sh failed with exit
code 1
Has anyone run into the same problem?
for a more explicite answer click here.
For this problem go to the command prompt, then type
svn list https://libxls.svn.sourceforge.net:443
then type
p
recompile your code and it should work
This script seems to be running svn, maybe getting some files from SVN. The error itself is saying that svn does not recognize the HTTPS certificate of the SourceForge SVN server. You might get that if your time/date is set incorrectly, or it could be a number of other things.
Sourceforge recommends that you check that the HTTPS certificate is correct by checking the URL in your browser (https://sourceforge.net/apps/trac/sourceforge/wiki/Subversion):
When you receive this error, we encourage you to validate that the
server is the correct server by putting your checkout URL into a
trusted web browser (i.e.
https://PROJECTNAME.svn.sourceforge.net/svnroot/PROJECTNAME).
You can do that in your case by copying this URL and pasting it into your browser:
https://libxls.svn.sourceforge.net:443/libxls/svnroot
Then in the browser URL field, there should be a little lock icon just the left of the URL, click on that. (I'm looking at Firefox). Then click More Information, then click View Certificate. Then you should see that the SHA1 Fingerprint is the same long hex string that you saw in the error:
0b:11:76:de:db:4c:74:72:cb:01:49:7d:13:70:c2:f1:13:7b:cb:bf
If it is the same, then you should type 'p' for store permanently. If it is different, then there is something wrong with the connection or someone might be trying to "man in the middle" attack that site.