skip to Main Content

I have this error while cloning on gitlab ci:

unable to access 'https://gitlab-ci-token:[secure]@git.mydomain.com/mydomain/api.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none.

My Root CA has expired today the 30th and thus must have been removed from my keychain.

I have upgraded my certificates (debian) and all seems fines except this error does not go away in my dockerized gitlab-runner.

How can I fix it?

2

Answers


  1. This is a problem on the server side, and it needs to be fixed by replacing the chain of CA certificates.

    Because Sectigo knew that this root certificate would expire soon, several years ago, they created a new root certificate and registered it with all the major browser vendors and OS manufacturers. However, because many older systems don’t upgrade their certificates, this new root CA was signed by an older CA, a process called cross-signing. This allows people to use the new root for issuing certificates yet remain compatible with older systems.

    Any systems on the Internet today can no longer handle the legacy root because it’s now expired, so there’s no benefit to using it anymore.

    Some TLS libraries can figure out that a certificate chains to a trusted root and ignore the extra, expired root certificates, but some cannot. As a result, the fact that you have the old AddTrust External Root CA certificate in your certificate chain can break some of those TLS libraries, which is what’s happening here.

    Sectigo has documentation on this issue. You want to remove the AddTrust CA certificate and make sure that the UserTrust or COMODO root that you’re using is self-signed. If you’re using a Debian or Ubuntu system, you may be able to find the appropriate root certificate in /etc/ssl/certs.

    Even better, you can just remove the root certificate altogether and only include intermediates, since the root certificate isn’t actually needed when creating the TLS connection, since the client must already have it.

    Login or Signup to reply.
  2. In debian 9, I resolved issue by removing below certificate.

    sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
    sudo update-ca-certificates
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search