I recently updated from 0.8 to 0.9.0 and now to 1.0.0-rc.1. Since 0.9 cloning Git repositories via HTTPS signed by a private CA fail.
skip_verify nor mounting custom CA file (preferred solution) work.
.drone.yml (NOT working)
Clone step always fails with:
Initialized empty Git repository in /drone/src/.git/
+ git fetch --depth=10 origin +refs/heads/develop:
fatal: unable to access 'https://git.example.com/org/repo.git/': SSL
certificate problem: unable to get local issuer certificate
Using the legacy syntax works:
However due to the migration of Matrix builds it obviously has to be migrated for most projects.
The Git server is running Gitea with
GITEA_SKIP_VERIFY=false which works fine with mounting the CA file mentioned above on the Server node:
Do I need to make anything different when using v1.0 here?
The default clone plugin has changed, as well as the syntax. You need to disable the default clone syntax and then configure your own custom clone step:
- name: custom_clone
For more details see: https://docs.drone.io/config/pipeline/cloning/#custom-logic
Thanks very much for the quick reply. Custom clone step works for me.
However I wonder if there is still a way to provide a custom CA certificate for the new clone plugin?
Something like passing the servers/agents CA bundle to the clone plugin or applying
DOCKER_RUNNER_VOLUMES would be sufficient here.
skip_verify surely does the job, but with a private CA I’d appreciate the certificate to be verified.
PS: Just noticed that the
DRONE_RUNNER_VOLUMES line (as mentioned in first post) does not seem to have the desired effect, at least not for the
custom_clone stage… Manually running the
plugins/git with the mounted CA file works, in Drone it doesn’t (without
I am not able to reproduce any issues with
I added this to my agent config:
I ran these commands on the agent host machine:
mkdir -p /tmp/drone
I am using this yaml:
- name: test
- ls -la /tmp/drone
And it printed the results as expected:
+ ls -la /tmp/drone
drwxr-xr-x 3 root root 102 Nov 11 20:35 .
drwxrwxrwt 3 root root 4096 Nov 11 20:36 ..
-rw-r--r-- 1 root root 0 Nov 11 20:35 foo.txt
I therefore cannot confirm any issues with mounted volumes at this time. In my testing they seem to be working as expected, when properly configured.
Interesting… I tried again.
This direct call does work:
# docker run --rm \
-v /my/custom/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt \
-e DRONE_REMOTE_URL=https://git.example.com/org/repo.git \
-e DRONE_COMMIT_SHA=0123456789abcdef01234567896abcdef0123456 \
+ git init
Initialized empty Git repository in /.git/
+ git remote add origin https://git.example.com/org/repo.git
+ git fetch --no-tags origin +refs/heads/master:
* branch master -> FETCH_HEAD
* [new branch] master -> origin/master
+ git reset --hard -q 0123456789abcdef01234567896abcdef0123456
+ git submodule update --init --recursive
Drone with this agent variable (double checked the config is really active - raises exceptions on the agent when invalid paths are given)
and this .drone.yml
- name: clone
fails with SSL exception.
Pulled the latest
1.0.0-rc.1 images for Drone server/agent about 10 minutes ago. Platform is Debian Linux, Kernel 4.9, amd64, Docker CE 18.09.0~3.