Reputation: 113
gitlab k3s runner WARNING: Checking for jobs... failed x509: certificate signed by unknown authority
I have an issue with a gitlab-runner installed via the application panel on gitlab to a k3s rancher cluster. It was working fine then today gitlab was restarted and started giving out this error.
I found out where the gitlab certificate is and where to copy it but I do not have sudo on the POD :
bash-5.0$ cd gitlab-runner/
bash: cd: gitlab-runner/: Permission denied
bash-5.0$ pwd
If i do not install the Runner via the application panel from the Gitlab site it doesn't work properly (meaning I install it via helm with -f values but it will not work with Autodevops and it will not create a pod for each CI as expected)
Any workaround or solution would be greatly appreciated :)
Thank you in advance.
Upvotes: 1
Views: 802
Answers (2)
Reputation: 21
In the same boat here. Solved my issue copying my self signed certs to all my worker nodes at
user@worker01:~$ sudo cp gitlab.hostname.com.crt /usr/local/share/ca-certificates/
user@worker02:~$ sudo cp gitlab.hostname.com.crt /usr/local/share/ca-certificates/
user@worker03:~$ sudo cp gitlab.hostname.com.crt /usr/local/share/ca-certificates/
After this run the cert update. In my case ubuntu we can run the command below on all worker nodes
sudo update-ca-certificates --fresh
We may need to restarted all worker nodes, also a k3s-agent restart would have done the same.
sudo systemctl status k3s-agent.service
Upvotes: 2
Reputation: 113
After many tests and failures.
for the runner I am using a helm chart and create a secret with the certificate as secribed in the helm values.yaml
kubectl create secret generic gitlab-runner --from-file=10.0.0.2.nip.io.crt -n gitlab -apps
gitlab-ci.yaml
entrypoint: ["dockerd-entrypoint.sh"]
command: ["--insecure-registry", "10.0.0.2.nip.io:5005"]
Self-signed cert:
apt-get install ca-certificates
cp cacert.pem /usr/share/ca-certificates
sudo dpkg-reconfigure ca-certificates
The correct way is to get it working was to set up an actual domain name and change GitLab's external_url to that so that Let's encrypt can get a renewed certificate since then it started working fine.
Upvotes: 1
Related Questions
- Gitlab : Peer's certificate issuer has been marked as not trusted by the user
- gitlab-runner x509: certificate signed by unknown authority
- self-hosted Gitlab runner register failed x509 certificate signed by unknown authority on GKE with helm install
- Gitlab fatal: unable to access '.......' SSL Certificate problem: unable to get issuer certificate
- Gitlab-Runner | x509: certificate signed by unknown authority
- gitlab-runner cannot clone due to expired root certificate
- gitlab runner - x509: certificate signed by unknown authority
- x509: certificate signed by unknown authority PANIC: Failed to register this runner
- GitLab Runner cannot clone, unable to get issuer certificate
- fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.mydomain.com/xxx.git/': SSL certificate problem: unable to get issuer certificate