I have a linux gitlab and runner instance running on the same machine.The machine is accessible from the web via https, which is protected by cloudflare.A ufw and swwitch level firewall protect the machine from the web and only accept cloudflare ip ranges.
I configured the gitlab to run with the origin CA certificate provided by cloudflare and can use gitlab just fine. Now when I added the runner and tried a test pipeline, it cannot checkout the repo I'm running on:
Here's the log from the pipeline:
Running with gitlab-runner 17.4.0 (b92ee590) on offsite iKYgymMmt, system ID: s_e94e403982b5Resolving secretsPreparing the "docker" executor00:04Using Docker executor with image alpine:latest ...Pulling docker image alpine:latest ...Using docker image sha256:91ef0af61f39ece4d6710e465df5ed6ca12112358344fd51ae6a3b886634148b for alpine:latest with digest alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d ...Preparing environment00:00Running on runner-ikygymmmt-project-2-concurrent-0 via offsite...Getting source from Git repository00:01Fetching changes with git depth set to 20...Reinitialized existing Git repository in /builds/group/project/.git/fatal: unable to access 'https://gitlab.example.com/group/project.git/': The requested URL returned error: 403Cleaning up project directory and file based variables00:00ERROR: Job failed: exit code 1The runner is configured as follows:
concurrent = 1check_interval = 0log_level = "debug"connection_max_age = "15m0s"shutdown_timeout = 0[session_server] session_timeout = 1800[[runners]] name = "offsite" url = "https://gitlab.example.com" id = 2 token = "glrt-token" token_obtained_at = 2024-09-30T10:53:10Z token_expires_at = 0001-01-01T00:00:00Z executor = "docker" [runners.custom_build_dir] [runners.cache] MaxUploadedArchiveSize = 0 [runners.cache.s3] [runners.cache.gcs] [runners.cache.azure] [runners.docker] tls_verify = false image = "alpine:latest" privileged = false disable_entrypoint_overwrite = false oom_kill_disable = false disable_cache = false volumes = ["/cache"] shm_size = 0 network_mtu = 0Any hint, where to look for a fix?
I tried using clone_url with the IP of the server, but with HTTPS this obviously fails:
SSL certificate problem: unable to get local issuer certificate