Unable to install AD Domain wildcard Certificate on Ubuntu 16.04

I’ve been attempting to install a domain wildcard cert (with CA) on a GitLab server we set up (running Ubuntu 16.04) and installed with Omnibus.

I followed the directions in the following articles :

• http://stackoverflow.com/questions/39356693/enable-https-self-signed-cert-for-gitlab-community-edition-for-ominbus-installer
• http://rosscampbell.blogspot.com/2014/07/howto-configure-gitlab-7-omnibus.html
• https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md

Unfrotunately, I cannot get it to listen to port 443 or to redirect from http to https. I’ve tried multiple times, and tried everything I can think of to fix it.

I verified that the values moved over to ‘/var/opt/gitlab/gitlab-rails/etc/gitlab.yml’ after I did the gitlab-ctl reconfigure and restart.

When I try to connect (http or https) I get the following…

If I set the .rb file as such…

external_url ‘https://gitlab.mydomain.local’

nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
nginx['ssl_certificate'] = "/etc/gitlab/ssl/star_mydomain_local_cert.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/star_mydomain_local_gitlab.key"
nginx['listen_port'] = 443

It doesn’t appear to listen to 443

root@gitlab01:/etc/gitlab# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      15657/config.ru
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1003/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1153/master
tcp6       0      0 :::22                   :::*                    LISTEN      1003/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      1153/master

If I set the external URL to ‘https://gitlab.mydomain.local’:

It appears to listen to 443, but still cannot access (I get the following errors)

HTTP: ERR_CONNECTION_REFUSED
HTTPS: ERR_SSL_PROTOCOL_ERROR

root@gitlab01:/etc/gitlab# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      11119/config.ru
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1003/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1153/master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      11033/nginx
tcp        0      0 0.0.0.0:8060            0.0.0.0:*               LISTEN      11033/nginx
tcp6       0      0 :::22                   :::*                    LISTEN      1003/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      1153/master

The GitLab support folks helped point me in the right direction on this issue.

1.) They pointed out that I didn’t need the lines …

nginx['redirect_http_to_https_port'] = 80
nginx['listen_port'] = 443

2.) I was checking the error log /var/log/gitlab/nginx/gitlab_error.log and it was always empty. Using the command…

gitlab-ctl tail

I discovered that the error log was actually at /var/log/gitlab/nginx/error.log and there I discovered that the problem was with my certificate (the private key)

==> /var/log/gitlab/nginx/error.log <==
2017/02/21 10:48:13 [emerg] 4994#0: SSL_CTX_use_PrivateKey_file("/etc/gitlab/ssl/star_mydomain_local_gitlab.key") failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)

I re-exported the private key and this appears to have corrected the problem. My site certificate is working, and rolls over from http to https automatically.