16

I get this error on a fresh install of gitlab. The message looks like: 

fatal: unable to access 'https://gitlab-ci-
token:xxxxxxxxxxxxxxxxxxxx@gitlab.example.com/something.git/': Peer's 
Certificate issuer is not recognized.ERROR: Job 
failed: exit status 1

Any suggestions on how to fix it?

qubsup
  • 1,241
  • 5
  • 15
  • 23

2 Answers2

26

Had faced the same problem after enabling verbose mode by following command export GIT_CURL_VERBOSE=1 and found the following issue:

NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)

Found this following site helpful,But its good when you have entire control for the proxy server as well to enter the certificates.

http://dropbit.com/?p=168

I instead ran following command to bypass ssl verification by porxy server and it worked 

git config --global http.sslVerify "false"
Tshilidzi Mudau
  • 7,373
  • 6
  • 36
  • 49
Avinash Singh
  • 1,006
  • 9
  • 10
7

You need to configure /etc/gitlab/gitlab.rb. Change this line

nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/cert.pem"

to 

nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/fullchain.pem"

(Assuming, you already have nginx enabled and you have correctly issued certificates, e.g. from LetsEncrypt.)

then restart gitlab and you're done:

$ gitlab-ctl reconfigure

Why - cert.pem does not contain full certificate chain, thus ca chain cannot be verified. Replacing with fullchain.pem solves it.

Miroslav Mocek
  • 857
  • 8
  • 4
  • worked for me. I had this error after upgrading gitlab-runner from version 9.* to 12.* – Kgaut Dec 31 '19 at 10:16
  • thanks for the helpful workaround. i have to say i'm so utterly sick of gitlab's chaotic design, i don't even find words for it anymore. i.e. the problem isn't that cert.pem doesn't hold the full chain but that they don't load the chain, or rather that they don't have a mechanism to sync certs, etc, etc. – Florian Heigl Jul 10 '23 at 01:29