diff --git a/README.md b/README.md index dd4e4bb8bbb339456306cfaaa975453eeba6dfa0..880d6196494684c991cfbfd978bf4ba148d66723 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,7 @@ The config file is automatically migrated when GitLab Runner was installed from ### Advanced Configuration +* [See the self-signed certificates](docs/configuration/tls-self-signed.md) * [See advanced configuration options](docs/configuration/advanced-configuration.md) * [See example configuration file](config.toml.example) * [See security considerations](docs/security/index.md) diff --git a/docs/configuration/advanced-configuration.md b/docs/configuration/advanced-configuration.md index 80a0d726497260ade51721f99817be273b02def0..b55d12da655986d03a672d9abfc5f9cefc2f5e47 100644 --- a/docs/configuration/advanced-configuration.md +++ b/docs/configuration/advanced-configuration.md @@ -28,6 +28,8 @@ This defines one runner entry. | `name` | not used, just informatory | | `url` | CI URL | | `token` | runner token | +| `tls-ca-file` | file containing the certificates to verify the peer when using HTTPS | +| `tls-skip-verify` | whether to verify the TLS certificate when using HTTPS, default: false | | `limit` | limit how many jobs can be handled concurrently by this token. 0 simply means don't limit | | `executor` | select how a project should be built, see next section | | `shell` | the name of shell to generate the script (default value is platform dependent) | diff --git a/docs/configuration/tls-self-signed.md b/docs/configuration/tls-self-signed.md new file mode 100644 index 0000000000000000000000000000000000000000..8a3559743400f1a93333e6656a3ce1b5b5f9c77a --- /dev/null +++ b/docs/configuration/tls-self-signed.md @@ -0,0 +1,46 @@ +## The self-signed certificates or custom Certification Authorities + +Since version 0.7.0 the GitLab Runner have allows to configure certificates that are used to verify TLS peer when connecting GitLab server. + +**This allows to solve the `x509: certificate signed by unknown authority` problem when registering runner.** + +The GitLab Runner provides these options: + +1. **Default**: GitLab Runner reads system certificate store and verifies the GitLab server against the CA's stored in system. + +2. GitLab Runner reads the PEM (**DER format is not supported**) certificate from predefined file: + + - `/etc/gitlab-runner/certs/hostname.crt` on *nix systems when gitlab-runner is executed as root. + - `~/.gitlab-runner/certs/hostname.crt` on *nix systems when gitlab-runner is executed as non-root, + - `./certs/hostname.crt` on other systems. + + If address of your server is: `https://my.gitlab.server.com:8443/`. + Create the certificate file at: `/etc/gitlab-runner/certs/my.gitlab.server.com`. + +3. GitLab Runner exposes `tls-ca-file` option during registration and in [`config.toml`](advanced-configuration.md) +which allows you to specify custom file with certificates. This file will be read everytime when runner tries to +access the GitLab server. + +4. GitLab Runner exposes `tls-skip-verify` option during registration and [`config.toml`](advanced-configuration.md) +which allows you to skip TLS verification when connecting to server. +**This approach is INSECURE! Use at your own risk!** +Anyone can eavesdrop your connection: +- see the runner token which is used to authenticate against GitLab, +- see tokens which are used to clone GitLab projects, +- see the secure variables that are passed to runner. + +### Git cloning + +Currently the certificates are only used to verify connections between GitLab Runner and GitLab server. +This doesn't affect git commands (ie. `git clone`). +You still will see build errors due to TLS validation failure. + +To have maximum security for your builds you should configure `GIT_SSL_CAINFO` variable. +It allows you to define the file containing the certificates to verify the peer with when fetching or pushing over HTTPS + +The other options is to disable TLS verification, but as said before this approach is insecure. +Add to your `.gitlab-ci.yml` this lines: +``` +variables: + GIT_SSL_NO_VERIFY: "1" +``` diff --git a/docs/faq/README.md b/docs/faq/README.md index ee8d6a963ec29c5ff9d1bb5b7384f31657cf50fe..56ceb69631c76f18c78197fae489350d0cda62a0 100644 --- a/docs/faq/README.md +++ b/docs/faq/README.md @@ -29,4 +29,8 @@ project to use *git fetch* from the GitLab CI project settings page. The [NTFSSecurity](https://ntfssecurity.codeplex.com/) PowerShell module provides a *Remove-Item2* method which supports long paths. The Gitlab CI Multi Runner will -detect it if it is available and automatically make use of it. \ No newline at end of file +detect it if it is available and automatically make use of it. + +## 4. I'm seeing `x509: certificate signed by unknown authority` + +Please [See the self-signed certificates](../configuration/tls-self-signed.md)