[Question] semantic release GitLab error when self signed certificates are used.

[ievgennaida]

I am not able to use self-signed certificates using this plugin.

Version: "@semantic-release/gitlab": "13.1.0",

Error:
UNABLE_TO_GET_ISSUER_CERT

I have tried to set next variables:

  variables:
    GIT_SSL_NO_VERIFY: 1
    NODE_OPTION: --use-openssl-ca
    NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
    NODE_TLS_REJECT_UNAUTHORIZED: 0
    NO_PROXY: {my.gitlab.com}

Certs are installed in the container

COPY *.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

Error:

[3:45:01 PM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/gitlab"
[3:45:01 PM] [semantic-release] [@semantic-release/gitlab] › ℹ  Verify GitLab authentication (/api/v4)
[3:45:01 PM] [semantic-release] › ✘  Failed step "verifyConditions" of plugin "@semantic-release/gitlab"
[3:45:01 PM] [semantic-release] › ✘  An error occurred while running semantic-release: RequestError: unable to get issuer certificate
    at ClientRequest.<anonymous> (node_modules/got/dist/source/core/index.js:670:107)
    at Object.onceWrapper (node:events:633:26)
    at ClientRequest.emit (node:events:530:35)
    at TLSSocket.socketErrorListener (node:_http_client:500:9)
    at TLSSocket.emit (node:events:518:28)
    at emitErrorNT (node:internal/streams/destroy:169:8)
    at emitErrorCloseNT (node:internal/streams/destroy:128:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
    ... 2 lines matching cause stack trace ...
    at ssl.onhandshakedone (node:_tls_wrap:871:12) {
  input: undefined,
  code: '**UNABLE_TO_GET_ISSUER_CERT**',

I would appreciate any suggestion how to use self-signed certificates.

[JonasSchubert]

Have a look here #568. Might be the same reason

[ievgennaida]

@JonasSchubert Thanks for the reference.
Related issue is closed I have the up to date version. But what is the current working setup?

[JonasSchubert]

@JonasSchubert Thanks for the reference.
Related issue is closed I have the up to date version. But what is the current working setup?

#489 (comment) this flag might help you

[JonasSchubert]

@JonasSchubert Thanks for the reference.
Related issue is closed I have the up to date version. But what is the current working setup?

#489 (comment) this flag might help you

You might have to change NODE_OPTION to NODE_OPTIONS in your variables

[ievgennaida]

@JonasSchubert Thanks for the reference.
Related issue is closed I have the up to date version. But what is the current working setup?

#489 (comment) this flag might help you

You might have to change NODE_OPTION to NODE_OPTIONS in your variables

@JonasSchubert Thanks for the reference.
Related issue is closed I have the up to date version. But what is the current working setup?

#489 (comment) this flag might help you

You might have to change NODE_OPTION to NODE_OPTIONS in your variables

Thank you for spotting, but just tested only NODE_OPTIONS in 13.0.1 and 10.1.4 and both are giving UNABLE_TO_GET_ISSUER_CERT unless NODE_TLS_REJECT_UNAUTHORIZED: 0 is used for version 10.1.4

[JonasSchubert]

Did you try this approach: #489 (comment)

Another way without completely disabling security.

OS: Debian 11 (node:19 docker image)

If you have own CA and certificates signed with it.

Add CA to system trusted certs inside /usr/local/share/ca-certificates/, for example /usr/local/share/ca-certificates/MyCA.crt

If you have selfsigned certificates.

Add selfsigned cert:

echo | openssl s_client -servername mydomain.local -connect mydomain.local:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/mydomain.local.crt

And then

* run `update-ca-certificates`

* This is enough for usual tools like `curl`. Don't know why, but not enough for `got`.

* We can add `NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt` variable to env, and now all is working

This is really strange, why got not use system list of trusted certs. If any body know, please tell me =)

[ievgennaida]

@JonasSchubert

Yes, this is exactly what I am doing:

Docker image:

COPY *.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

Than env is added to the gitlab variables like:
variables:
NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
NO_PROXY: {my.gitlab.com}

Versions checked:

"@semantic-release/gitlab": "13.1.0",
"@semantic-release/gitlab": "10.1.4",

Certs are valid because other tools are ok to use them.

So far only NODE_TLS_REJECT_UNAUTHORIZED: 0 and version 10.1.4 works.

[fgreinacher]

You need to force Node to use the system certificate store, see #489 (comment)

[ievgennaida]

@fgreinacher Node options are set.

[fgreinacher]

@ievgennaida Can you share a minimal project that reproduces this issue? That would help a lot.

[JonasSchubert]

Hi @ievgennaida, I see you reached out to sindresorhus/got. Did you manage to find a solution?

[ievgennaida]

Hello @JonasSchubert, unfortunately no, only old version works and issue was postponed.
But I plan to test additionally direct verbose "http" and "got" module calls in the future to find a problem.

[ievgennaida]

Somehow env variables as NODE_TLS_REJECT_UNAUTHORIZED are definitely not hitting a Got library.

Next workaround can be used to keep rejectUnauthorized and use the latest gitlab lib plugin version:

respect-env.js -> plugin to run before this plugin

const https = require("https");

module.exports = {
  // Called during verifyConditions step
  verifyConditions: async (_, context) => {
    context.logger.log("Ensure env variable is respected");
    https.globalAgent.options.rejectUnauthorized =
      process.env.NODE_TLS_REJECT_UNAUTHORIZED != "0";
  },
};

Semantic Config:

 plugins: [
    "./respect-env.js"
  ],

P.s. please avoid using that, you have to find out why certs are not working fine

[sanmuny]

Somehow env variables as NODE_TLS_REJECT_UNAUTHORIZED definitely not hiting a Got library.

Next workaround can be used to keep rejectUnauthorized and use latest gitlab lib (please avoid using that):

respect-env.js -> plugin to run before this plugin

const https = require("https");

module.exports = {
  // Called during verifyConditions step
  verifyConditions: async (_, context) => {
    context.logger.log("Ensure env variable is respected");
    https.globalAgent.options.rejectUnauthorized =
      process.env.NODE_TLS_REJECT_UNAUTHORIZED != "0";
  },
};

Semantic Config:

 plugins: [
    "./respect-env.js"
  ],

Thanks @ievgennaida , this work around works for me. I tried the "--use-openssl-ca" method but failed. And for people meet the same issue, here are my configurations.

.gitlab-ci.yml

release:
  stage: release
  image: node:lts
  variables:
    NODE_TLS_REJECT_UNAUTHORIZED: 0
  script:
    - yarn add https semantic-release @semantic-release/gitlab @semantic-release/changelog @semantic-release/git
    - git config http.sslVerify false
    - npx semantic-release
  rules:
    - if: $CI_COMMIT_BRANCH == "main" && $CI_PIPELINE_SOURCE == "push"

.releaserc.json

{
  "branches": ["main"],
  "plugins": [
    "@semantic-release/commit-analyzer",
    "@semantic-release/release-notes-generator",
    "./ci-plugin.cjs",
    "@semantic-release/gitlab"
  ]
}

ci-plugin.cjs

const https = require("https");

module.exports = {
  // Called during verifyConditions step
  verifyConditions: async (_, context) => {
    context.logger.log("Ensure env variable is respected");
    https.globalAgent.options.rejectUnauthorized =
      process.env.NODE_TLS_REJECT_UNAUTHORIZED != "0";
  },
};