Drone Git Clone SSL Error

marcotuna · July 4, 2019, 8:02am

Hello,

I am trying to use Drone with a self-hosted Git server, in my case I am using Gogs.
I was able to connect the Drone with the Gogs Server, list all the repositories and activate the repository however when I am trying to start a build it always fails.

Initialized empty Git repository in /drone/src/.git/
2 + git fetch origin +refs/heads/master:
3 fatal: unable to access 'https://gogs.test.corp/Organization/RepoTest.git/': SSL certificate problem: unable to get local issuer certificate

I am starting the Drone Server with the following env vars

DRONE_TLS_AUTOCERT = false
DRONE_AGENTS_ENABLED = true
DRONE_GOGS_SERVER = "https://gogs.test.corp"
DRONE_GOGS_SKIP_VERIFY = true
DRONE_RPC_SECRET = "SECRETKEY"
DRONE_SERVER_HOST = "drone.test.corp"
DRONE_SERVER_PROTO = "https"
DRONE_GIT_ALWAYS_AUTH = false
DRONE_DATABASE_DRIVER = "postgres"
DRONE_DATABASE_DATASOURCE = "postgres://drone_user:PASSWORD@127.0.0.1:5432/drone_db?sslmode=disable"
GIT_SSL_NO_VERIFY = true

And starting the Drone Agent with the following env vars

DRONE_RPC_SECRET=SECRETKEY
DRONE_RUNNER_CAPACITY=3
DRONE_RUNNER_NAME=${HOSTNAME}
DRONE_TLS_AUTOCERT=false
DRONE_LOGS_DEBUG=true
DRONE_LOGS_TRACE=true
DRONE_LOGS_PRETTY=true
GIT_SSL_NO_VERIFY=true

I am also mouting this volume in both docker containers (Drone Server, and Drone Agent)

"/etc/ssl/certs/ca-certificates.crt:/etc/ssl/cert.pem:ro",
"/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro"

When I enter both containers through the cli (docker exec -it container sh) and perform the command
wget https://gogs.test.corp it works without any ssl error

I also checked if git binary was available in order to do:
git config http.sslVerify false
However git was not available

I don’t understand why drone fails with git ssl error. Any hints?

marcotuna · July 4, 2019, 8:24am

Managed to solve this issue by adding the following to the .drone.yml

clone:
  depth: 50
  tags: true
  skip_verify: true

But why did I have to add skip_verify if I already have the self signed certificate in the operating system?

bradrydzewski · July 4, 2019, 4:34pm

You mounted the self-signed certificate into the agent, however, the repository is not cloned inside the agent. A separate container is created to clone the repository. To better understand this please see http://discuss.harness.io/t/how-drone-clones-a-repository/3135.

marcotuna · July 4, 2019, 6:09pm

Hi @bradrydzewski, now I understand why this is happening, it makes sense.
But it makes my environment insecure, it would be interesting to be able to specify the PEM encoded cert in the .drone.yaml in order to establish a secure connection.

bradrydzewski · July 4, 2019, 6:56pm

you can configure global agent volumes. these are volumes that get mounted into every container created by Drone. You could therefore mount your self-signed certificates into pipeline containers. Search for DRONE_RUNNER_VOLUMES in the documentation or in this forum.

Topic		Replies	Views
Git SSL certificate problem: unable to get local issuer certificate Drone Support	2	2381	October 11, 2020
SSL with self signed certificate Drone Support	8	3112	May 16, 2023
SSL certificate problem: unable to get local issuer certificate Drone Support	0	2349	February 25, 2020
Clone fails with SSL verification fails after 0.9+ upgrade Drone Support	4	1864	November 12, 2018
[0.8] git self-signed problem Drone Support	4	2213	November 1, 2017

Drone Git Clone SSL Error

Related topics