Score:0

GitLab serves certificate list of 1 certificates

ru flag

I'm trying to run GitLab's omnibus installer and use my organization's SSL certificate, but SSL clients complain that the certificate issuer is unknown. How am I supposed to configure intermediate certificates in the trust chain?

My set up starts with running the latest version of GitLab, exposing ports for HTTPS and HTTP, among others:

sudo docker run --detach --hostname myserver.myorg.org --publish 1443:443 --publish 1080:80 \
--publish 2222:22 --publish 5005:5005 --name gitlab1 \
--volume /srv/gitlab/config:/etc/gitlab \
--volume /srv/gitlab/logs:/var/log/gitlab \
--volume /srv/gitlab/data:/var/opt/gitlab gitlab/gitlab-ce:14.2.3-ce.0

That creates a bunch of default configuration in /srv/gitlab/config, so I go and set the server's URL in gitlab.rb:

external_url 'https://myserver.myorg.org'

I received a certificate file and key file from my organization, so I copy them to the /srv/gitlab/config/ssl directory as myserver.myorg.org.crt and myserver.myorg.org.key. Then I reconfigure the GitLab server:

sudo docker exec -it gitlab1 bash -c "gitlab-ctl reconfigure"

Now I try to validate the SSL configuration:

echo | gnutls-cli -p1443 myserver.myorg.org

I get a bunch of errors in the output, including these:

...
Processed 129 CA certificate(s).
Resolving 'myserver.myorg.org:1443'...
Connecting to '127.0.0.1:1443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
...
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

That looks like I don't have the complete trust chain. The issuer for our organization's certificate is "CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US". I found their certificates on their website, and downloaded that specific one:

wget https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem

I extracted the text version of the certificate:

openssl x509 -in DigiCertTLSRSASHA2562020CA1-1.crt.pem -text
...
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
...
A7sKPPcw7+uvTPyLNhBzPvOk
-----END CERTIFICATE-----

I appended that to my organization's certificate in /srv/gitlab/config/ssl/myserver.myorg.org.crt so now it has the organization's certificate first, then the Digicert certificate.

-----BEGIN CERTIFICATE-----
... our organization's certificate ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... Digicert certificate I just downloaded
-----END CERTIFICATE-----

This is the step I'm least confident about. I'm basing it on the GitLab instructions:

Make sure you use the full certificate chain in order to prevent SSL errors when clients connect. The full certificate chain order should consist of the server certificate first, followed by all intermediate certificates, with the root CA last.

Does that just mean stick the two certificates together in the same file?

Anyway, I ran the reconfigure command and tested again:

sudo docker exec -it gitlab1 bash -c "gitlab-ctl reconfigure"
...
echo | gnutls-cli -p1443 myserver.myorg.org

I still get the same errors, including "Got a certificate list of 1 certificates." That makes me think that I didn't add the Digicert certificate to the chain properly. I also tried putting the Digicert certificate before our organization's certificate.

Just to make sure that the certificates are valid, I followed this post. The openssl s_server and openssl s_client worked fine together, so I think the problem is my GitLab configuration.

Score:0
ru flag

When I read the GitLab documentation more closely, I realised that I had misunderstood the difference between reconfigure and hup nginx.

If the content of your SSL certificates has been updated, but no configuration changes have been made to gitlab.rb, then gitlab-ctl reconfigure will not affect NGINX. Instead, run sudo gitlab-ctl hup nginx to cause NGINX to reload the existing configuration and new certificates gracefully.

I thought reconfigure would do everything in hup nginx plus a lot more. It turns out that reconfigure won't notice a change in the certificate files if you haven't changed anything in the /srv/gitlab/config/gitlab.rb file.

I fixed my problem by running this command after appending the intermediate certificate onto /srv/gitlab/config/ssl/myserver.myorg.org.crt:

sudo docker exec -it gitlab1 bash -c "gitlab-ctl hup nginx"
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.