Jenkins and GitLab CI - Expired Certificate

1
votes

There are tons of posts and articles on how to successfully link Jenkins and Gitlab to get a good CI between them. None of those work for me, especially because anything I try I always get certificate errors on the Jenkins side. Here are 2 examples:

Failed to connect to repository... stderr: fatal: unable to access 'https://**.git/': SSL certificate problem: certificate has expired

Client error: Certificate for doesn't match common name of the certificate subject: MyCompany

Which brings me to this question. I am not sure if my case is an example of the term "Self Signed Certificate", but I know that whenever I open my company's GitLab page, I see a certificate error on that page. When I open the Cert. Information, it shows that the cert is: Valid to: April, 2017. So obviously expired. Not sure why we're not updating that, but I wanted to know if the fact that we're using GitLab with an expired cert. flat out zero's out my chances of getting Jenkins to talk to GitLab.

I am trying very hard to get Jenkins to work here -- But am I wasting time trying, if the cert. is expired? Do I have more options to make this work?

Thank you.

1
ssljenkinsgitlab
Any good (normal) TLS client will refuse to connect if remote endpoint certificate has expired. You should really change the certificate first.Patrick Mevzek
I understand, but since it is not up to me, I wanted to know if there is a way around ituser350213
No way around it, again if using a normal TLS client. This is a basic protection put in place for various technical and business reasons so being able "easily" to remove it would be a nonsense. Your certificate seems not correct for its name either, so for both reasons you just need to install (make someone install) a proper certificate. You will loose far less time than trying to go around that. You should as well use HTTP instead of HTTPS if you do not care at all about identifying properly the remote host.Patrick Mevzek
Got it. Thanks for your input.user350213

1 Answers

0
votes

I ran into the same issue this evening and it broke my builds in Jenkins because of an expired ssl certificate on my Gitlab server. Listed below are the steps you need to take in order to remedy the Jenkins build error when Jenkins trys to pull from your Gitlab repository when Gitlabs ssl certificate has expired.

**All commands below are run on Ubuntu 16.04

1) Generate a CSR or SAN CSR for your Gitlab server

  • This will yield .csr and .key files

  • Don't share or publish the ".key" file (ITS YOUR PRIVATE KEY)

  • Use these files for step 2

2) Generate a SSL Certificate for Gitlab server (this will yield .crt file)

3) Put the .crt and .key file in /etc/gitlab/ssl/ (Ubuntu 16.04)

  • I used my server directory but yours may differ depending on platform

sudo openssl x509 -req -days 365 -in "/etc/gitlab/ssl/gitlab.csr" -signkey "/etc/gitlab/ssl/gitlab.key" -out "/etc/gitlab/ssl/gitlab.crt"

4) Edit /etc/gitlab/gitlab.rb file to reflect your new common name

  • That is if you changed it

external_url 'https://' #ip address or dns name

5) Reconfigure Gitlab (skip this step if you didnt change your common name

sudo gitlab-re reconfigure

6) Restart your gitlab server for changes to take effect

  • This will cause an outage, so if in production make sure you have a maintenance window

sudo systemctl restart gitlab-runsvdir.service

7) Verify server is back online

sudo systemctl status gitlab-runsvdir.service

8) Now on your Jenkins server, you need to update your /etc/ssl/certs/ca-certificates.crt with the new Gitlab server certificate

**Again, I am running this in Ubuntu 16.04 (this may differ by platform)

**Change the in the command below to your gitlab server's common name

sudo su - 
echo -n | openssl s_client -showcerts -connect <common_name_goes_here>:443   2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> /etc/ssl/certs/ca-certificates.crt

9) Try to run a build in Jenkins

  • Hopefully this works.