1

I have Virtual Box with Gitlab instance and I'm trying to register on the same machine gitlab-runner, during that I'm getting issue about IP Sans

VM: https://bitnami.com/stack/gitlab/virtual-machine

Process enter image description here

I think verifying certificate is successful (please correct)

enter image description here

Also what I have done also

  1. added "subjectAltName=IP:192.168.8.6" to /etc/ssl/openssl.cnf
  2. Generated cert and key in /etc/gitlab-runner enter image description here
  3. Copied these 2 to: /etc/gitlab/trusted-certs/

Doing also solution from below also doesn't help Gitlab-CI runner: ignore self-signed certificate

enter image description here

Any ideas how I can further debug? Any help appreciated

Oskar Woźniak
  • 715
  • 2
  • 10
  • 25

2 Answers2

2

From this post

Step1 edit ssl configuration on the GitLab server (not the runner)

+sudo nano /etc/pki/tls/openssl.cnf
# find line
[ v3_ca ]
subjectAltName=IP:192.168.1.1 <---- Add this line. 192.168.1.1 is your GitLab server IP.

Step2 Re-generate self-signed certificate on the GitLab server (not the runner)

cd /etc/gitlab/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/192.168.1.1.key -out /etc/gitlab/ssl/192.168.1.1.crt
sudo openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
sudo gitlab-ctl restart

Step3 Copy the new CA to the GitLab CI runner in /etc/gitlab-runner/certs/

Step4 Register your runner

gitlab-runner register --tls-ca-file="$CERTIFICATE"

this work for me.

hongnhat
  • 157
  • 2
  • 2
  • 12
0

For those errors like:

  • x509: certificate is not valid for any names, but wanted to match gitlab.example.com
  • x509: certificate relies on legacy Common Name field, use SANs instead
  • ...

I am running gitlab server 15.7.1 docker container from my laptop (following The Official Install Guide - With docker-compose), and installed a gitlab runner at that laptop host too.

In my case, the self-signed certificate should be re-requested manually according with the following steps:

  1. Entering the running gitlab container:

    docker compose exec web bash

  2. In container, copy the openssl.cnf to /etc/gitlab/ssl so that I can edit it from host machine:

    cp /opt/gitlab/embedded/ssl/openssl.cnf /etc/gitlab/ssl/

  3. At host, Modify openssl.cnf to add new line into v3_ca section:

    subjectAltName=DNS:gitlab.example.com

    NOTE that a DNS name needed instead of IP

  4. In container, copy back the file:

    cp /etc/gitlab/ssl/openssl.cnf /opt/gitlab/embedded/ssl/

  5. In container, recreate x509 req and restart gitlab services to sign the gitlab server certificate again:

    cd /etc/gitlab/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/gitlab.local.key -out /etc/gitlab/ssl/gitlab.local.crt
openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
gitlab-ctl restart

  6. Now, gitlab-runner register should be ok.

    gitlab-runner register --tls-ca-file="$CERTIFICATE"

Lucky to anyone.

hedzr
  • 155
  • 2
  • 7