Reputation: 7025
How to provide self-signed certificates to renovate-runner for Gitlab CI
The renovate-runner for Gitlab seems to be the recommended way to use Renovate on Gitlab repositories.
For self-hosted Gitlab their README says one can remote-include their template file.
include:
- remote: https://gitlab.com/renovate-bot/renovate-runner/-/raw/v20.1.0/templates/renovate.gitlab-ci.yml
I tried to setup Renovate like this, but when I run the pipeline, it fails with a certificate error (see below) because our Gitlab server uses self-signed certificates.
How can I provide self-signed certificates to the Renovate bot?
DEBUG: GET https://gitlab.xxxxx.xx/api/v4/user = (code=UNABLE_TO_VERIFY_LEAF_SIGNATURE, statusCode=-1 retryCount=0, duration=45)
DEBUG: Gitlab API error
"err": {
"name": "RequestError",
"code": "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
"timings": {
"start": 1740671748660,
"socket": 1740671748661,
"lookup": 1740671748662,
"connect": 1740671748690,
"error": 1740671748705,
"phases": {"wait": 1, "dns": 1, "tcp": 28, "total": 45}
},
"message": "unable to verify the first certificate",
"stack": "RequestError: unable to verify the first certificate\n at ClientRequest.<anonymous> (/usr/local/renovate/node_modules/.pnpm/[email protected]/node_modules/got/dist/source/core/index.js:970:111)\n at Object.onceWrapper (node:events:633:26)\n at ClientRequest.emit (node:events:530:35)\n at ClientRequest.emit (node:domain:489:12)\n at ClientRequest.origin.emit (/usr/local/renovate/node_modules/.pnpm/@[email protected]/node_modules/@szmarczak/http-timer/dist/source/index.js:43:20)\n at emitErrorEvent (node:_http_client:104:11)\n at TLSSocket.socketErrorListener (node:_http_client:518:5)\n at TLSSocket.emit (node:events:518:28)\n at TLSSocket.emit (node:domain:489:12)\n at emitErrorNT (node:internal/streams/destroy:170:8)\n at emitErrorCloseNT (node:internal/streams/destroy:129:3)\n at processTicksAndRejections (node:internal/process/task_queues:90:21)\n at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)\n at TLSSocket.emit (node:events:518:28)\n at TLSSocket.emit (node:domain:489:12)\n at TLSSocket._finishInit (node:_tls_wrap:1078:8)\n at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12)\n at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)",
"options": {
"headers": {
"user-agent": "RenovateBot/39.182.3 (https://github.com/renovatebot/renovate)",
"accept": "application/json",
"authorization": "***********",
"accept-encoding": "gzip, deflate, br"
},
"url": "https://gitlab.xxxxx.xx/api/v4/user",
"hostType": "gitlab",
"username": "",
"password": "",
"method": "GET",
"http2": false
}
}
Upvotes: 0
Views: 14
Answers (1)
Reputation: 7025
OK, I found part of the solution in the Renovate docs about self-signed certificates.
First I had to add the environment variable NODE_EXTRA_CA_CERTS and point it to my PEM file with the self-signed certs. As described in the docs.
After that, API-Calls to our self-hosted Gitlab server worked, but then the Git clones of the repositories failed.
Instead of building my own docker image as suggested, I just added the environment variable GIT_SSL_CAINFO and point it to the same PEM file.
Now it seems to work.
Upvotes: 1
Related Questions
- Gitlab-runner environment variables hidden not working witout white spaces Mend Renovate
- How gitlab runner concurrency works?
- How to enable maven artifact caching for GitLab CI runner?
- Gitlab-CI runner: ignore self-signed certificate
- How can I pass GitLab artifacts to another stage?
- How to configure renovate to switch from gitlab-release to git-tags
- Is it possible to define a Proxied URL for the "Github-URL" in renovate-runner?
- Multiline YAML string for GitLab CI (.gitlab-ci.yml)