Gitlab renovate-runner project fails with UNABLE_TO_GET_ISSUER_CERT on self hosted gitlab instance #27562
-
How are you running Renovate?Self-hosted If you're self-hosting Renovate, tell us what version of Renovate you run.renovate/renovate:37.203.2-full If you're self-hosting Renovate, select which platform you are using.GitLab self-hosted What is your question?Hello, on my self hosted gitlab instance I have set up renovate-runner project. Because the self hosted instance uses self signed certificates, I have created my own renovate image following steps in the docs. The Dockerfile looks like this: FROM renovate/renovate:37.203.2-full
# Changes to the certificate authority require root permissions
USER root
# Copy and install the self signed certificate
COPY src-sub.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
# Change back to the Ubuntu user
USER 1000
# Some tools come with their own certificate authority stores and thus need to trust the self-signed certificate or the entire OS store explicitly.
# This list is _not_ comprehensive and other tools may require further configuration.
#
# Node
ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/src-sub.crt
ENV NODE_OPTIONS=--use-openssl-ca
# Python
RUN pip config set global.cert /etc/ssl/certs/ca-certificates.crt
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# OpenSSL
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt This error won't go away even though the self signed certificate is added into the custom renovate image (shell commands inside image work like curl and git), and env variables are set:
The only solution, I have found so far and I'm not happy with, was to set env variable I am wondering what else could be wrong? Logs (if relevant)Logs
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 11 replies
-
You shouldn't need all those extra env vars. we already test that custom root ca's work Please verify thsat your |
Beta Was this translation helpful? Give feedback.
Fixed by including full certificate chain instead of only root.crt or sub.crt (this is because renovate is based on node, and node wants full chain to verify self signed certificates).