Certificate verify failed on update to v4.0.0

voxpupuli / puppet-gitlab_ci_runner

Module to mange gitlab CI runners. Extracted from https://github.com/voxpupuli/puppet-gitlab

Apache License 2.0

14 stars 52 forks source link

Certificate verify failed on update to v4.0.0 #124

Closed byteflood closed 2 years ago

byteflood commented 2 years ago

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: 6.24.0
Ruby:
Distribution: Ubuntu 20.04.3 LTS
Module version: v4.0.0

How to reproduce (e.g Puppet code you use)

class { 'gitlab_ci_runner':
    concurrent => 1,
    runners => {
      'my-runner' => {
        'registration-token' => '...',
        'url'                => 'https://...',
        'tag-list'           => 'mytag',
        'executor'           => 'docker+machine',
        'docker-image'       => 'ubuntu:focal',
     },
   },
}

What are you seeing

Error: Failed to apply catalog: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

What behaviour did you expect instead

...
Notice: Applied catalog in x seconds

Output log

Any additional information you'd like to impart

Downgrading to gitlab_runner v3.0.0 fixes it, which is why I am posting it here.
The gitlab instance is behind a https proxy which is properly signed using a custom CA certificate which is installed on the host.

chrisongthb commented 2 years ago

Same problem here. I found out, that adding the cacert of your own PKI to /opt/puppetlabs/puppet/ssl/cert.pem solves the problem. But that might not be the cleanest solution…

alexjfisher commented 2 years ago

@chrisongthb Thanks for the tip.

It probably wouldn't be too much work to make the verify mode configurable. https://github.com/voxpupuli/puppet-gitlab_ci_runner/blob/f829a91d1e9ef207f5ff9bc3ad45cd3a84211690/lib/puppet_x/gitlab/runner.rb#L40

or add a parameter that allowed you to override the cert store used. (ie use the system certificate store instead of /opt/puppetlabs/puppet/ssl/cert.pem)

I might not be able to look at this for while, but meanwhile, PRs extremely welcome.

MasterMind2k commented 2 years ago

There is still an issue with initial run. We use in-house CA certificate. If the CA certificate is not yet on the machine, this won't execute.

Problem lies in too soon execution of URL fetching. Puppet did not had a chance to install the required CA.

In my case, a solution is to use Puppet's ca file, but seems not a proper solution.

juliantaylor commented 1 year ago

you can avoid the problem of the deferred function running before the certificate is available in puppet >= 7.17 via on demand deferrred functions

They allow you to execute catalog code before deferred functions are evaluated, they also respect normal puppet orderings. https://www.puppet.com/docs/puppet/7/release_notes_puppet.html#enhancements_puppet_x-7-17-0-PUP-9323 https://github.com/puppetlabs/puppet/pull/8902