The TLS certificate provided by Gitlab is valid, but the Docker image used by the pipeline (maven:3.3.9-jdk-8) is outdated and fails to verify the validity of the certificate.
Yes, I checked this point and I noticed that this instance of Gitlab Runner is not up to date, its version is 12.5.0. The current version of Gitlab CE is 14.3.2 and the last version of Gitlab Runner is 14.3.2 too. But it is not an issue, even if we will update this runner when we have some time.
Using a Docker container has the advantage (and sometimes, as in this case, the disadvantage) of isolating the pipeline execution context from the underlying system. Therefore, what is important is the environment provided by the Docker container.
Finally, the Gitlab forge TLS certificate is managed via Let’s Encrypt and automatically regenerated every two months.
I can take care of that, but it’s up to you and the other members of the core team to decide which image you want to use. Do you prefer a CI based on Java 8 or 11? Does this Maven version change have an impact? I can’t answer to these questions.
If you prefer to keep the current version of Maven, I can try to regenerate its Docker image with an updated TLS certificate package.
I just tried to build a new image, based on the maven:3.3.9 image, which I updated. This does not solve the problem, because this image is still based on a very old JDK 8 image (5 years old).
I just tried with an intermediate version (maven:3.6.3-openjdk-8-slim). The TLS certificate verification works. So, I generated a new image using this version. Now, you should update the Orekit CI script.
In the line #8, replace maven:3.3.9-jdk-8 by maven:3.6.3-openjdk-8-slim
Thanks for the updates! I’ll also point out that maven 3.6.2 is the latest in RedHat 8 and derivative distributions. (https://pkgs.org/search/?q=maven) It would be nice to test with that version or earlier so that users can build Orekit from one of those distributions.
I used maven 3.6.3 in my merge request. According to its release note, this version just fixes some bugs of version 3.6.2. Do you think it is necessary to adjust the version of Maven, at the risk of facing bugs attributable to this version (and not to the Orekit source code)?