gitlab gitlab-runnergitlab-runner的作用便是基本gitlab仓库相关的配置来运行单元测试(包含但Not limited to) and feedback the results of the unit test to gitlab .

So if the environment in which we run the unit test is macos , we need to install gitlab-runner on a macos host; if we run the unit test in the environment ubuntu , you need to install ---c59369a09e3c612c503f003a15cd0f31 ubuntu on a host of gitlab-runner .

gitlab-runner After the installation is complete, you need to register it in gitlab , so that gitlab will initiate a remote call to it. The registration command is as follows:

 sudo gitlab-runner register --url https://yourGitLab.ServerDomainName.com --registration-token yourGitLabToken

But for some security reasons, if our gitlab server's certificate is not within the valid verification range of the host to be running the unit test, an error will be reported as follows:

 This solves the x509: certificate signed by unknown authority problem when registering a runner.

At this point, we need to manually specify a valid certificate for it when running the registration command.

solution

The gitlab official website specifically explains this issue. It probably means that we need to manually specify the relevant certificate for each pre-registered site.

During the access process of https , the browser will automatically download the certificate for us and use the CA certificate for verification, but gitlab-runner will not, so we need to manually help it .

Although the official gitlab has given several solutions, experiments have proved that it is the easiest solution to register the downloaded certificate on the operating system.

Proceed as follows:

Get a certificate

If you applied for the certificate of the website running the gitlab service, then you have a crt certificate, you can skip this step and continue to look down.

If we do not know the certificate of the current site, we can use openssl to obtain the server's crt certificate. This operation can be performed on the test machine running gitlab-runner , or on our own On the computer:

 openssl s_client -showcerts -connect gitlab.example.com:443(修改为你自己的域名及端口) < /dev/null 2>/dev/null | openssl x509 -outform PEM > ~/gitlab.example.com.crt(修改为自己的名字)

If you don't want to type commands, you can also get it with the help of a browser. Take macos as an example:
image.png

image.png

image.png

At this point we got a file in cer format, and then we will convert it to pem format.

Double-click the certificate file to add to the keychain:

image.png

Find it in the keychain, right click and export:

image.png

format selection pem

image.png

Finally, change the extension .pem directly to .crt.

Anyway, what we need is a crt certificate installed on the gitlab site.

Certificate of Registration

Suppose we obtained the certificate of the relevant site according to the operation in the previous step, and uploaded it to the machine running gitlab-runner .

ubuntu

Below, we take the ubuntu operating system as an example to introduce how to globally install this certificate into the operating system.

 $ sudo apt-get install -y ca-certificates
$ sudo cp gitlab.example.com.crt /usr/local/share/ca-certificates/
$ sudo update-ca-certificates

The full log is as follows:

 yunzhi@yunzhi-virtual-machine:/etc/ca-certificates$ sudo apt-get install -y ca-certificates
[sudo] password for yunzhi: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version (20210119~20.04.2).
0 upgraded, 0 newly installed, 0 to remove and 160 not upgraded.
yunzhi@yunzhi-virtual-machine:~$ sudo cp gitlab.example.com.crt /usr/local/share/ca-certificates/
yunzhi@yunzhi-virtual-machine:/usr/local/share/ca-certificates$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping DigiCert-Global-Root-CA.pem,it does not contain exactly one certificate or CRL
1🥰 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

🥰 is the key, indicating that 1 certificate has been added successfully.

freebsd

The freebsd registration certificate is relatively simple, just move the crt file to /usr/local/share/certs/ :

 root@freebsd-jdk8:/home/panjie # cp yourdomain.crt /usr/local/share/certs/

register runner

After the certificate is added, the registration can be completed automatically using the certificate:

 yunzhi@yunzhi-virtual-machine:~$ sudo gitlab-runner register
Runtime platform                                    arch=amd64 os=linux pid=813430 revision=f188edd7 version=14.9.1
Running in system-mode.                            
                                                   
Enter the GitLab instance URL (for example, https://gitlab.com/):
https://gitlab.example.com:8888/
Enter the registration token:
yourGitLabTokenHere
Enter a description for the runner:
[yunzhi-virtual-machine]: ubuntu
Enter tags for the runner (comma-separated):

Enter optional maintenance note for the runner:
 
Registering runner... succeeded                     runner=GR134894
Enter an executor: docker-ssh+machine, kubernetes, custom, docker, parallels, ssh, docker-ssh, shell, virtualbox, docker+machine:

So far gitlab-runner x509: the error has been successfully resolved.

After registration, don't forget to run gitlab-runner start 🙂 .

git clone

gitlab-runner When running unit tests, we must first perform the git clone https://xxx operation. When our certificate is not recognized (internal host), the following error will occur:



fatal: unable to access ' https://xxxxx.xxx.xxx/yunzhiclub/smart-community.git/ ': Problem with the SSL CA cert (path? access rights?)
fatal: unable to access ' https://xxx.xxx.xxx/yunzhiclub/smart-community.git/ ': error setting certificate verify locations: CAfile: /home/gitlab-runner/builds/c_SqAx1t/0/yunzhiclub/smart -community.tmp/CI_SERVER_TLS_CA_FILE CApath: none


At this point, you can disable the ssl check in the git clone process by setting the environment variable GIT_SSL_NO_VERIFY to the value true .

image.png

image.png

HTTPS principle and communication process
gitlab official website: Self-signed certificates or custom Certification Authorities
Ubuntu official: Installing a root CA certificate in the trust store
Disable git's ssl checksum


潘杰
3.1k 声望239 粉丝