Adding A Certificate Authority in GitLab?

4.3k views Asked by At

So I'm trying to set up GitLab with HTTPS on my server. Sounds simple right?

Well...

I'm kind of using a self signed certificate. And not necessarily just a self signed certificate either. I have a root certificate installed on my system (running Ubuntu 15.04, both in the /etc/ssl/certs folder and in the ca-certificates.crt file in /etc/ssl/certs. I have an intermediate certificate and a server certificate that I'm using for HTTPS on my server. However, I can't seem to get OAUTH to work from GitLab CI. After I press authorize from my GitLab account on my server, I get a 500 error that says "We're sorry, something went wrong." In the logs, I get this error:

Faraday::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed): app/controllers/user_sessions_controller.rb:18:in `callback'

I can't seem to figure out what is causing this issue. I'm running a certificate chain for the webserver, I get an A on the Qualys SSLLabs Test, the SSL Doctor Ruby application that I've been seeing in my search for a solution finds no problems with my certificate chain. At this point, I'm completely clueless as to what may be causing this error. Can anybody help me sort this out?

2

There are 2 answers

0
Alegrowin On

On Gitlab 8.0 OmniBus CE

I first had to convert my .pfx file to .key [PEM] and .crt -> Details

Create the .key file with PEM format

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]

Create the .crt file

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

Change the gitlab.rb file

sudo nano /etc/gitlab/gitlab.rb

Based on the Omnibus configuration, change or uncomment the following lines:

external_url "https://gitlab.example.com"

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.belley.net.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.belley.net.key"

Prior version 8.0

ci_external_url "https://ci.example.com" 
0
Stanislav Seifert On

@Alegrowin thank you, that helped me a lot!

Just to make sure, for other people. You have also to reconfigure and restart Gitlab.

sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart