Drone

Drone Git Clone SSL Error

Hello,

I am trying to use Drone with a self-hosted Git server, in my case I am using Gogs.
I was able to connect the Drone with the Gogs Server, list all the repositories and activate the repository however when I am trying to start a build it always fails.

Initialized empty Git repository in /drone/src/.git/
2 + git fetch origin +refs/heads/master:
3 fatal: unable to access 'https://gogs.test.corp/Organization/RepoTest.git/': SSL certificate problem: unable to get local issuer certificate

I am starting the Drone Server with the following env vars

DRONE_TLS_AUTOCERT = false
DRONE_AGENTS_ENABLED = true
DRONE_GOGS_SERVER = "https://gogs.test.corp"
DRONE_GOGS_SKIP_VERIFY = true
DRONE_RPC_SECRET = "SECRETKEY"
DRONE_SERVER_HOST = "drone.test.corp"
DRONE_SERVER_PROTO = "https"
DRONE_GIT_ALWAYS_AUTH = false
DRONE_DATABASE_DRIVER = "postgres"
DRONE_DATABASE_DATASOURCE = "postgres://drone_user:PASSWORD@127.0.0.1:5432/drone_db?sslmode=disable"
GIT_SSL_NO_VERIFY = true

And starting the Drone Agent with the following env vars

DRONE_RPC_SECRET=SECRETKEY
DRONE_RUNNER_CAPACITY=3
DRONE_RUNNER_NAME=${HOSTNAME}
DRONE_TLS_AUTOCERT=false
DRONE_LOGS_DEBUG=true
DRONE_LOGS_TRACE=true
DRONE_LOGS_PRETTY=true
GIT_SSL_NO_VERIFY=true

I am also mouting this volume in both docker containers (Drone Server, and Drone Agent)

"/etc/ssl/certs/ca-certificates.crt:/etc/ssl/cert.pem:ro",
"/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro"

When I enter both containers through the cli (docker exec -it container sh) and perform the command
wget https://gogs.test.corp it works without any ssl error

I also checked if git binary was available in order to do:
git config http.sslVerify false
However git was not available

I don’t understand why drone fails with git ssl error. Any hints?

Managed to solve this issue by adding the following to the .drone.yml

clone:
  depth: 50
  tags: true
  skip_verify: true

But why did I have to add skip_verify if I already have the self signed certificate in the operating system?

You mounted the self-signed certificate into the agent, however, the repository is not cloned inside the agent. A separate container is created to clone the repository. To better understand this please see How drone clones a repository.

Hi @bradrydzewski, now I understand why this is happening, it makes sense.
But it makes my environment insecure, it would be interesting to be able to specify the PEM encoded cert in the .drone.yaml in order to establish a secure connection.

you can configure global agent volumes. these are volumes that get mounted into every container created by Drone. You could therefore mount your self-signed certificates into pipeline containers. Search for DRONE_RUNNER_VOLUMES in the documentation or in this forum.