4

I am trying to set up CI on GitLab. It's only meant to verify the project can build, run and tests are passing. No artifacts are saved and the runner has timeout 1h, so I don't care about security of that runner at all.

2022-01-03 15:05:13.729850: [info] Cabal file info not found for regex-posix-0.96.0.0@sha256:bd870f983a21bb474bd96449736f011c599981ce70da808a21ec1a28292e5481,2861, updating
2022-01-03 15:05:13.729850: [info] Selected mirror https://hackage.haskell.org/
2022-01-03 15:05:13.729850: [info] Downloading root
2022-01-03 15:05:13.841192: [error] HttpExceptionRequest Request {
  host                 = "hackage.haskell.org"
  port                 = 443
  secure               = True
  requestHeaders       = [("Accept-Encoding",""),("User-Agent","Haskell pantry package")]
  path                 = "/root.json"
  queryString          = ""
  method               = "GET"
  proxy                = Nothing
  rawBody              = False
  redirectCount        = 10
  responseTimeout      = ResponseTimeoutDefault
  requestVersion       = HTTP/1.1
}
 (InternalException (HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))))

I tried this workaround https://stackoverflow.com/a/69611484/9160022, but that doesn't seem to help. Other answer is to run IE or update Windows, which I have no clue how or if I even can on GitLab (I am using the tag windows-1809, I wasn't able to find any list of supported versions/tags).

I was looking at stack build --help and docs, but found nothing. So, my question is: How to disable certificate validation in stack?

duplode
  • 33,731
  • 7
  • 79
  • 150
menfon
  • 1,587
  • 1
  • 11
  • 28
  • I am missing some context, but I don't think you can disable this. The problem is not that stack tries to validate something, but the system is doing so. Hence, this is not something that can be disable from stack. Can't you run the CI in a linux runner? If you are force to use windows, you can configure the runner with [self-signed certificates](https://docs.gitlab.com/runner/configuration/tls-self-signed.html). – lsmor Jan 04 '22 at 11:01
  • Also you can follow [this](https://stackoverflow.com/questions/44458410/gitlab-ci-runner-ignore-self-signed-certificate) other SO thread – lsmor Jan 04 '22 at 11:02
  • @Ismor No, looking at it, I had no idea it's related. But it looks like that thread is about selfhosted gitlab, I would like to make it work on gitlab.com (that public instance of gitlab). – menfon Jan 05 '22 at 19:26
  • I am lossing the context here. I think the problem is that the machine hosting the gitlab runner can't access the TLS certificate. I am quite sure you can't disable that from stack. You should configure the TLS in the CI/CD pipeline somehow and allow for the "hackage.haskell.org" certificate. I have no Idea how to do that, I am just pointing out that the problem is likely to be on the CI/CD side of things, not in stack. – lsmor Jan 06 '22 at 00:54
  • @Ismor I tried the linked script (Windows/Explorer "visiting" the page so it gets the certificates), but that fails to run. I don't understand why there can't a flag in Stack, something similar like what wget and yt-dlp have: --no-check-certificate. It could be that simple (by default it of course should still validate certificates). Like I wrote, I don't care about security, so why is Stack forcing me to configure certificates (which may not even be possible) = waste time? – menfon Jan 07 '22 at 15:09
  • Btw, does the software builds in your machine? or the error happens in the Gitlab runner and in your local machine?. Also, I see many of the error related with certificates are due to windows/old stack version. Which OS is your gitlab runner in? and which stack version are you using? – lsmor Jan 08 '22 at 11:23
  • @Ismor On my PC (with Linux) it runs fine. It happens on the GitLab.com runner. The stack version is most recent one (fresh from chocolatey, 2.7.3). Windows version according to the tag is 1809 (so probably Windows 10 Stable 1809, same as VM images MS is providing on [their page](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)). – menfon Jan 11 '22 at 09:48
  • Are you force to use windows in the Gitlab runner? I'd suggest to try using a Unix runner a see if it solves the problem. Otherwise, you need to configure the Gitlab runner with the certificates. I don't think there is another solution... By the way, I think this happens with other building tool and language (from what I searched on google) so you may find information using other tags as well – lsmor Jan 12 '22 at 12:22
  • @Ismor I am not forced to use it (it's virtually my project, I can go without having any CI), but I would like to set it up, because some coworkers use Windows (I don't) and I would like to see immediately when I break something on Windows only (not like now, after few months, because nobody with Windows was using current version of the tool). I already have Linux runner which works fine. I have created a feature request on Stack's github, but seeing they don't react much even when it comes to bug "issues", I don't expect much from it. – menfon Jan 12 '22 at 14:21
  • 1
    um... yes this is unfortunate. In this [thread](https://github.com/commercialhaskell/stack/issues/907) they talk about setting the env variable `SYSTEM_CERTIFICATE_PATH` to a different value. Maybe, instead of configuring the runner, a simple enviroment variable may solve the problem... I don't know. Good luck with it! ;) – lsmor Jan 12 '22 at 15:35

0 Answers0