'How do i add custom certificate to gitlab-ci.yml file with default runner. I am running this on cloud

variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository - 
Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN - 
Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "-s ci_settings.xml --batch-mode --errors --fail-at-end --show-version"
http_proxy: http://genproxy.myorg.com:8080
https_proxy: http://genproxy.myorg.com:8080
no_proxy: .myorg.com,localhost,127.0.0.1

deploy:
 image: maven:3.6-jdk-11
before_script:
 - 'gitlab-runner register --tls-ca-file xxxxx.pem'
script:
 - 'mvn $MAVEN_CLI_OPTS deploy'
only:
- master

I have tried all the possible solutions with ssl_verify false, GIT_SSL_NO_VERIFY: "1". I am not using custom runner because i am not the admin. I need to add the cert in the default runner that gitlab ci invokes.

Currently I am getting a X509 PKIX error when I am trying to publish my jar to package registry of gitlab.

Update: I also tried with adding certs and update the ca certificates

  before_script:
- 'cp gitlab.corp.myorg.com.crt /usr/local/share/ca-certificates'
- 'update-ca-certificates'

Gitlab runner added the cert but I still get the PKIX - 509 error.

Can anyone help?

gitlabgitlab-cigitlab-ci-runner


Solution 1:[1]

You are on the right track in that you need to make the missing RootCA known. Please note that disabling TLS Verification will increase the attack surface, so you better avoid it.

Registering a runner in the before script is very unlikely to help you here. The command you run in your first attempt tries to register the current system as a new runner with the CA file to trust the GitLab Server. This has nothing to do with what you want to achieve.

Your update helps you by making the CA known to your system (in this case whatever linux distro the maven image is built on). I suggest you keep it to avoid further bugs even if it might not solve your issue here.

Maven depends on Java and as luck would have it, Java does it's own CA management. Hence you need to make the RootCA that signed you MVN-Reposerver known to Java. You seem to be using GitLab for MVN-Repos too, so that would be the RootCA that signed gitlab.corp.myorg.com. You can find the right certificate in your browsers certificate details (lock-symbol next to the URL in most browsers) as the ISSUER.

Java uses keytool for managing it's trust anchor so with Java 11 you might want to execute

keytool -import -trustcacerts -alias <named-file> -file <certificate-file-path> -keystore "$JAVA_HOME/lib/security/cacerts"

in your before_script.

If your CI job needs to leverage a proxy you might want to trust the proxy's signing CA as well (same procedure).

Example:

before_script:
  - cp /path/too/mycorp.rootca.pem /usr/local/share/ca-certificates
  - update-ca-certificates
  - keytool -import -trustcacerts -alias my-gitlab -file /path/too/mycorp.rootca.pem -keystore "$JAVA_HOME/lib/security/cacerts"

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Sascha Scherrer

Related Questions

How to backup/export Gitlab CI environment variables?

clone an existing project in gitLab

gitlab-ce 12.X : how do I find the hashed storage path of a repository on the server?

Lighthouse GitLab CI for a Jekyll website times out

git ignore .env files not working

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Retrieving a CI variable from Gitlab project and use it within Dockerfile

How to git clone with username and password in gitlab?

Script command using ":" causing error in .gitlab-ci.yml execution

How do i setup Slack Notifications for Gitlab scheduled pipelines only?

How do i setup Slack Notifications for Gitlab scheduled pipelines only?

How to step into NuGet packages outside of debug session

Gitlab-CI with Docker executor /usr/bin/bash: line 90: git: command not found

How to limit a job in gitlab ci to a tag matching a pattern?

SSH-Key not recognized "receive packet: type 51" in Gitlab-CE