Issue with Let'sEncrypt and SSL certificates in old drone-git

Hello. We today had issue this morning. We resolved it, but I think it should also be somehow resolved on drone side.

We use drone in our CI. We have a custom github repo, protected by Let’s Encrypt certificate.

This morning, Let’sEncrypt original root certificate expired. This caused some old and misconfigured SSL clients to fail. For example, old Ubuntu 14 (Trusty) cannot connect to LE websites. As cannot any Electron app, including VSCode or postman, that cannot now (until update) connect to LE websites.

github dot com/microsoft/vscode/issues/134244
github dot com/electron/electron/pull/31213
github dot com/postmanlabs/postman-app-support/issues/10338

(I cannot paste links for some reason as a new user)

We hit an issue that suddenly, we were not able to clone from our git repository, because we saw

fatal: unable to access '<URL>': SSL certificate problem: certificate has expired

After long look inside of drone source code, we figured out that drone uses an image drone/git - from here - Docker Hub and it used cached version from 2 years ago, when we first installed drone, which used some ancient base image that was cached in docker cache. That old image could not connect to pages with LE certificates. (Same issue with old Ubuntu, etc.)

docker pull drone/git:latest in the outside machine fixed that.

So, for anyone having this issue, do that (update drone/git in docker in the outer machine).

I think this can be fixed in drone itself, that drone will itself make sure, that drone/git is always up to date. We were using ancient cached drone/git, which we did not even know exists at all; it was never updated with any drone update.

I am not sure if this should be ensured on drone update, or just on every time cloning happens, or periodically. But it became an issue now, because we were unable to use drone for a day because of docker image we had no idea existed, and that it needs to be updated.

6 Likes

I had the same issue, with the same fix.

Thank you so much! I was thinking that the root cert expiration somehow related but was unable to figure out the solution by myself.

This is super helpful! Thanks very much!

Thank you so much, I thought it would be the container Root CA, updated the drone and the drone runners to the latest, removed the old letsencrypt intermediate CA from the containers … etc and the error was still there.

This post has saved me a lot of time. Thanks

You Sir saved me here, many thanks for having shared this solution!

Happy to be of help to anyone :smiley: