5

i'm trying to register a git runner on my company local network server, gitlab is working fine with self singed certificate, but when trying to register a git runner like this

sudo gitlab-runner register --tls-ca-file=/home/gitlab-runner/certs/git.crt

then pasting the git URL 

Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com/)
https://git.mycompany/

then the token:

Please enter the gitlab-ci token for this runner: 
TOKEN

and then the description and the tags, then i get this error:

ERROR: Registering runner... failed   
runner=TOKEN status=couldn't execute POST against https://git.mycompany/api/v4/runners:
Post https://git.mycompany/api/v4/runners: 
dial tcp: lookup git.mycompany on 127.0.0.53:53: 
no such host
PANIC: Failed to register this runner. Perhaps you are having network problems

i'm not using docker, just normal setup, please any help and many thanks in advance

enter image description here

UPDATE:

i added the nameserver for the DNS server to /etc/resolv.conf and the last error gone but i have new error:

 x509: certificate has expired or is not yet valid

even i'm registering the runner with the .crt as the documentation and with 

sudo gitlab-runner register --tls-ca-file /path/to/some-host-gitlab.com.crt

it's self signed certificate

enter image description here

UPDATE

the certificate valid from 6/5/2019 to 7/5/2019 is that matters if it's a self signed certificate ?

enter image description here

Fadi
  • 2,320
  • 8
  • 38
  • 77
  • `lookup git.mycompany on 127.0.0.53:53` - it looks like you're running `dnsmasq` or some other local resolver, and your system is configured to use it as a nameserver. This has nothing to do with gitlab runner. You need to fix your local DNS configuration. – Jonathon Reinhart Aug 26 '19 at 12:51

3 Answers3

4

Regarding the DNS issue, you have to change the DNS server in the /etc/resolv.confand set your nameserver to your DNS.

For the certificates, Gitlab runner by default checks the system certificates store and verifies Gitlab server against CA's stored in system. To add your certificate to the system you should do add your trusted certificate to /usr/local/share/ca-certificates/ and do sudo update-ca-certificates. Or you can set the certificate as a parameter --tls-ca-file when registering the runner.

I would suggest creating a new certificate with more validation days. (Don't forget to change the certificate path in gitlab's config in apache2 or ngix.

Coderji
  • 7,655
  • 5
  • 37
  • 51
2

Looks like issues with name resolution. can you please verify the reachability of dns server?

From logs, i can see it is trying to resolve from the host itself

dial tcp: **lookup git.mycompany on **127.0.0.53:53:**** no such host

Jobin James
  • 916
  • 10
  • 13
  • hi @jobina i can open the git by git.mycompany and also ping – Fadi Aug 26 '19 at 11:58
  • did you checked these documentation? https://docs.gitlab.com/runner/configuration/tls-self-signed.html and https://gitlab.com/gitlab-org/gitlab-runner/blob/master/docs/configuration/advanced-configuration.md – Jobin James Aug 27 '19 at 09:46
  • yes, but is their something specific you want me to look at? – Fadi Aug 27 '19 at 10:35
  • Please add the CA to server trust store also. openssl x509 -in /usr/local/share/ca-certificates/ca.pem -inform PEM -out /usr/local/share/ca-certificates/ca.crt and update-ca-certificates – Jobin James Aug 27 '19 at 11:45
  • https://stackoverflow.com/questions/44458410/gitlab-ci-runner-ignore-self-signed-certificate – Jobin James Aug 29 '19 at 17:13
2

to answer your last edit about certificate : your self signed certificate will be verified by the runner in order to secure the connection. having valid dates in your certificate is a first step but the runner will still refuse to validate a self signed cert. For this, I recommend you to read issue discussion : https://gitlab.com/gitlab-org/gitlab-runner/issues/1754

you can take the self-signed certificate, put it in a PEM file and provide it to GitLab Runner per https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/configuration/tls-self-signed.md

There is also a tls-skip-verify option: https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/configuration/advanced-configuration.md

Community
  • 1
  • 1
William
  • 66
  • 1
  • 8
  • hi @William i'm not using docker only shell, and their is no tls-skip-verify for non docker runners, and i already tried to add PEM file and provide it to GitLab Runner – Fadi Aug 27 '19 at 10:35