I try to register a gitlab runner on my gtilab server and got this error : " x509: certificate relies on legacy Common Name field, use SANs instead".
I read a lot's of web pages, but i am confused to solve my problem.
I read the following pages to find a solution:
I understood that I should generate a new certtificate for "the system" or for gitlab. Is that right ?
What is the simpler solution : to change the "system certificate" (as explained gitlab documentation) or to create a dedicated certificate for gitlab ?
But where is stored the system certificate on ubuntu ? or where do i define a custom certificate for the gitlab server ?
And last question : how to generate a good certificate ?
There is also this answer Troubleshooting - Setting up private GitLab server and connecting Gitlab Runners . Did someone test it ?
A great thanks for any helps.
It took me sometimes and the following cook book solved my problem. After all commands, i am able to run the following simple pipeline.
stages:
- build
- test
- test2
- deploy
build-job:
stage: build
script:
- echo "Hello, $GITLAB_USER_LOGIN!"
test-job1:
stage: test
script:
- echo "This job tests something"
test-job2:
stage: test
script:
- echo "This job tests something, but takes more time than test-job1."
- echo "After the echo commands complete, it runs the sleep command for 20 seconds"
- echo "which simulates a test that runs 20 seconds longer than test-job1"
- sleep 20
deploy-prod:
stage: deploy
script:
- echo "This job deploys something from the $CI_COMMIT_BRANCH branch."
The registered runner is a shell runner using root as user to execute commands. see shell runner
In the following, the linux user is myUser, gitlab url is mygitlab-site.com, the gitlab project is myProject, the runner token is A_TOKEN (this token is found on page settings-CI/CD-Runners).
The start point of the cook book is :
Goals are:
cd ~ openssl rand -writerand .rnd chmod a+rwx ~myUser/.rnd cd /tmp mkdir essai openssl genrsa -out ca.key 2048 openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*mygitlab-site.com" -out server.csr openssl x509 -req -extfile <(printf "subjectAltName=DNS:mygitlab-site.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt sudo cp * /etc/gitlab/ssl cd /etc/gitlab/ sudo mkdir bck-ssl cd ssl sudo mv mygitlab-site.com.crt mygitlab-site.com.key ../bck-ssl/ sudo mv server.crt mygitlab-site.com.crt sudo mv server.key mygitlab-site.com.key sudo rm server.csr sudo gitlab-ctl restart sudo passwd root sudo vi /etc/ssh/sshd_config ( use https://www.ubuntu18.com/ssh-permitrootlogin/) sudo systemctl restart sshd.service su - root (connect as root) cd ~ cd .ssh ssh-keygen -t rsa chmod 600 id_rsa chmod 644 id_rsa.pub echo > known_hosts chmod 600 known_hosts cd .. chmod 600 .ssh git clone [email protected]:myUser/myProject.git (tip to update the known hosts list) quit root user cd /etc/gitlab/ssl sudo cp ca.crt ca.pem sudo cp ca.pem /etc/ssl/certs/ca.pem su - root (connect as root) cd /etc/ssl/certs/ update-ca-certificates quit root user sudo gitlab-ctl restart sudo gitlab-runner register --tls-ca-file=/etc/gitlab/ssl/ca.crt --url https://mygitlab-site.com/ --registration-token A_TOKEN