Gitlab-CI runner: 忽略自签名证书

huangapple go评论215阅读模式
英文:

Gitlab-CI runner: ignore self-signed certificate

问题

你好!以下是翻译好的内容:

gitlab-ci-multi-runner register
给了我以下错误信息:

无法执行 POST 请求至 https://xxxx/ci/api/v1/runners/register.json:
Post https://xxxx/ci/api/v1/runners/register.json: 
x509: 无法验证证书 xxxx,因为它不包含任何 IP SANs

有没有办法禁用证书验证?

我正在使用 Gitlab 8.13.1 和 gitlab-ci-multi-runner 1.11.2。
英文:
gitlab-ci-multi-runner register

gave me

couldn't execute POST against https://xxxx/ci/api/v1/runners/register.json:
Post https://xxxx/ci/api/v1/runners/register.json: 
x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs

Is there a way to disable certification validation?

I'm using Gitlab 8.13.1 and gitlab-ci-multi-runner 1.11.2.

答案1

得分: 72

根据Wassim的回答和关于tls-self-signed和自定义CA签名证书的gitlab文档,如果你不是gitlab服务器的管理员,而只是具有runner的服务器的管理员(并且如果runner以root身份运行),可以按照以下步骤节省一些时间:

SERVER=gitlab.example.com
PORT=443
CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt

# 创建gitlab所需的证书层次结构
sudo mkdir -p $(dirname "$CERTIFICATE")

# 获取PEM格式的证书并存储
openssl s_client -connect ${SERVER}:${PORT} -showcerts </dev/null 2>/dev/null | sed -e '/-----BEGIN/,/-----END/!d' | sudo tee "$CERTIFICATE" >/dev/null

# 注册你的runner
gitlab-runner register --tls-ca-file="$CERTIFICATE" [其他选项]

更新1: CERTIFICATE 必须是证书文件的绝对路径。

更新2: 由于gitlab-runner bug #2675,使用自定义CA签名的方法可能仍然失败。

英文:

Based on Wassim's answer, and gitlab documentation about tls-self-signed and custom CA-signed certificates, here's to save some time if you're not the admin of the gitlab server but just of the server with the runners (and if the runner is run as root):

SERVER=gitlab.example.com
PORT=443
CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt

# Create the certificates hierarchy expected by gitlab
sudo mkdir -p $(dirname &quot;$CERTIFICATE&quot;)

# Get the certificate in PEM format and store it
openssl s_client -connect ${SERVER}:${PORT} -showcerts &lt;/dev/null 2&gt;/dev/null | sed -e &#39;/-----BEGIN/,/-----END/!d&#39; | sudo tee &quot;$CERTIFICATE&quot; &gt;/dev/null

# Register your runner
gitlab-runner register --tls-ca-file=&quot;$CERTIFICATE&quot; [your other options]

Update 1: CERTIFICATE must be an absolute path to the certificate file.

Update 2: it might still fail with custom CA-signed because of gitlab-runner bug #2675

答案2

得分: 20

在我的情况下,我通过添加.pem文件的路径来使其工作,如下所示:

sudo gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem

通常,gitlab-runner是托管在Docker容器中的。在这种情况下,需要确保tls-ca-file在容器中可用。

英文:

In my case I got it working by adding the path to the .pem file as following:

sudo gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem

Often, gitlab-runners are hosted in a docker container. In that case, one needs to make sure that the tls-ca-file is available in the container.

答案3

得分: 8

好的,以下是翻译好的内容:

好的,我按照这篇文章的步骤逐步操作:http://moonlightbox.logdown.com/posts/2016/09/12/gitlab-ci-runner-register-x509-error,然后它就像魔法一样正常工作了。
为了防止链接失效,我将步骤复制如下:

首先,在GitLab服务器上编辑SSL配置(不是runner)

vim /etc/pki/tls/openssl.cnf

[ v3_ca ]
subjectAltName=IP:192.168.1.1 <---- 添加这一行。192.168.1.1 是你的GitLab服务器IP。

重新生成自签名证书

cd /etc/gitlab/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/192.168.1.1.key -out /etc/gitlab/ssl/192.168.1.1.crt
sudo openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
sudo gitlab-ctl restart

将新的CA复制到GitLab CI runner

scp /etc/gitlab/ssl/192.168.1.1.crt root@192.168.1.2:/etc/gitlab-runner/certs

感谢 @Moon Light @Wassim Dhif

英文:

Ok I followed step by step this post http://moonlightbox.logdown.com/posts/2016/09/12/gitlab-ci-runner-register-x509-error and then it worked like a charm.
To prevent dead link I copy the steps below:

First edit ssl configuration on the GitLab server (not the runner)

vim /etc/pki/tls/openssl.cnf

[ v3_ca ]
subjectAltName=IP:192.168.1.1 &lt;---- Add this line. 192.168.1.1 is your GitLab server IP.

Re-generate self-signed certificate

cd /etc/gitlab/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/192.168.1.1.key -out /etc/gitlab/ssl/192.168.1.1.crt
sudo openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
sudo gitlab-ctl restart

Copy the new CA to the GitLab CI runner

scp /etc/gitlab/ssl/192.168.1.1.crt root@192.168.1.2:/etc/gitlab-runner/certs

Thanks @Moon Light @Wassim Dhif

答案4

得分: 7

以下步骤在我的环境中有效(Ubuntu):

下载证书
由于我无法访问gitlab服务器,因此:

  1. 在浏览器中打开https://some-host-gitlab.com(我使用Chrome)。
  2. 查看网站信息,通常在URL栏中显示为绿色的锁。
  3. 通过导航到证书信息(Chrome、Firefox都有此选项)下载/导出证书。

在gitlab-runner主机上

  1. 将下载的证书重命名为.crt文件。

    $ mv some-host-gitlab.com some-host-gitlab.com.crt

  2. 使用该文件注册runner。

    $ sudo gitlab-runner register --tls-ca-file /path/to/some-host-gitlab.com.crt

我成功将runner注册到了一个项目中。

英文:

The following steps worked in my environment. (Ubuntu)

Download certificate
I did not have access to the gitlab server. Therefore,

  1. Open https://some-host-gitlab.com in browser (I use chrome).
  2. View site information, usually a green lock in URL bar.
  3. Download/Export certificate by navigating to certificate information(chrome, firefox has this option)

In gitlab-runner host

  1. Rename the downloaded certificate with .crt

    $ mv some-host-gitlab.com some-host-gitlab.com.crt

  2. Register the runner now with this file

$ sudo gitlab-runner register --tls-ca-file /path/to/some-host-gitlab.com.crt

I was able to register runner to a project.

答案5

得分: 6

目前无法使用不安全的 SSL 选项运行多个运行器。

GitLab 目前有一个关于此问题的未解决问题。

但是,您应该能够获取您的证书,将其转换为 PEM 文件,并使用 --tls-ca-file 将其提供给运行器命令。

使用 openssl 来创建 PEM 文件。
openssl x509 -in mycert.crt -out mycert.pem -outform PEM

英文:

Currently there is no possibility to run the multi runner with an insecure ssl option.

There is currently an open issue at GitLab about that.

Still you should be able to get your certificate, make it a PEM file and give it to the runner command using --tls-ca-file

To craft the PEM file use openssl.
openssl x509 -in mycert.crt -out mycert.pem -outform PEM

答案6

得分: 6

在我的设置中,以下内容也可以正常工作。重要的是用于创建证书的IP/名称与用于注册runner的IP/名称匹配。

gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem

此外,还可能需要在runners的config.toml文件中添加一个用于主机名查找的行([runners.docker]部分):
extra_hosts = ["git.domain.com:192.168.99.100"]
参见 https://gitlab.com/gitlab-org/gitlab-runner/issues/2209

此外,如果使用了gitlab/gitlab-runner的网络模式为host,可能会出现一些网络问题,必须将其添加到config.toml中,因为它会启动额外的容器,否则可能无法连接到gitlab主机([runners.docker]部分):
network_mode="host"

最后,自签名的SSL证书可能会出现问题(https://gitlab.com/gitlab-org/gitlab-runner/issues/2659)。
一个简单的解决方法是在[[runners]]部分中添加:
environment = ["GIT_SSL_NO_VERIFY=true"]

英文:

In my setup the following the following worked as well. It's just important that IP/Name used for creating certificate matches IP/Name used for registering the runner.

gitlab-runner register --tls-ca-file /my/path/gitlab/gitlab.myserver.com.pem

Furthermore, it could be necessary to add a line for hostname lookup to the runners config.toml file also (section [runners.docker]):
extra_hosts = [&quot;git.domain.com:192.168.99.100&quot;]
see also https://gitlab.com/gitlab-org/gitlab-runner/issues/2209

In addition, there could be some network-trouble if for gitlab/gitlab-runner network-mode host is used, it has to be added to the config.toml as well, as it starts additional containers, which otherwise could have a problem to connect to the gitlab-host ((section [runners.docker]):
network_mode=&quot;host&quot;

Finally, there might be an issue with the self-signed SSL-Cert (https://gitlab.com/gitlab-org/gitlab-runner/issues/2659).
A dirty workaround is to add
environment = [&quot;GIT_SSL_NO_VERIFY=true&quot;]
to the [[runners]] section.

huangapple
  • 本文由 发表于 2017年6月9日 20:55:01
  • 转载请务必保留本文链接:https://go.coder-hub.com/44458410.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定