Reputation: 1442
add ca certificate to drone.io build container such that git fetch can use it?
I have a local gitlab node and a local drone.io node. The drone.io node runs on ubuntu. The gitlab node uses a self-signed certificate. I have added the certificate to the drone.io node in the canonical ubuntu way (cp cert.pem /usr/share/ca-certificates/; update-ca-certificates). The drone is started with -v /etc/ssl:/etc/ssl:ro . I know the drone container knows this certificate, as it solved the problem of not being able to login because certificate problem in oauth. But the build gives an error in git fetch with "SSL certificate problem: self signed certificate"
I suspect drone starts some other containers for build, and the other container does not have the cert. But I have lost track of what happening, and no idea on how to inject my cert there.
The script starting drone:
#!/bin/bash
set -x
docker kill drone
docker rm drone
docker run \
--volume /var/lib/drone:/var/lib/drone \
--volume /var/run/docker.sock:/var/run/docker.sock \
--volume /etc/ssl:/etc/ssl:ro \
--env-file /etc/drone/dronerc \
--restart=always \
--publish=80:8000 \
--detach=true \
--name=drone \
drone/drone:0.4 \
-debug
/etc/drone/dronerc:
# in gitlab, as an administrator, go to /admin/applications
# add a new application, the redirect uri being https://drone.machine/authorize
REMOTE_DRIVER=gitlab
REMOTE_CONFIG=https://ci-poc.devel.balabit?client_id=b88f2a6faefd8d9a05eddd82c8327bda6a59858fc7772753f4e2c0e6a7cd96e4&client_secret=966f752d39f211ef6b79a8c079d2ff1226f6ccd772a239efab4f4e4fb5de67a9
DATABASE_DRIVER=sqlite3
DATABASE_CONFIG=/var/lib/drone/drone.sqlite
HTTP_PROXY=http://proxy.balabit:3128/
HTTPS_PROXY=http://proxy.balabit:3128/
a build log:
[info] Pulling image plugins/drone-git:latest
Drone Git Plugin built from 8be7aa9
$ git init
Initialized empty Git repository in /drone/src/gitlab.private/mag/devsec/.git/
$ git remote add origin https://gitlab.private/mag/devsec.git
$ git fetch --no-tags --depth=50 origin +refs/heads/master:
fatal: unable to access 'https://gitlab.private/mag/devsec.git/': SSL certificate problem: self signed certificate
[info] build failed (exit code 1)
Upvotes: 0
Views: 2777
Answers (2)
Reputation: 309
You can set the following environment variable to make the host's CA certificates available to the Drone runner:
-e DRONE_RUNNER_VOLUMES=/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
Upvotes: 3
Reputation: 1442
A workaround was to set skip_verify for clone in .drone.yml Found solution at http://addons.drone.io/git/
My .drone.yml is the following, the first two lines are relevant.
clone:
skip_verify: true
build:
image: magwas/edemotest:xslt
commands:
- ./bin/script
Upvotes: 0
Related Questions
- Create a trusted self-signed SSL certificate for 'localhost' (for use with Express.js and Node.js)
- SSL certificate rejected trying to access GitHub over HTTPS behind firewall
- How do I add a CA root certificate inside a docker image?
- Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
- Ignore invalid self-signed ssl certificate in node.js with https.request?
- How can I add a volume to an existing Docker container?
- Docker container SSL certificates
- how do I add root certificate and keep only in docker build time?
- How to make Drone Docker plugin to authenticate with a self-hosted registry having a self-signed TLS certificate