9.4.5 update destroys https access - SOLVED

Do not update to 9.4.5 - you wil lose access to your Gitlab installation, any web browsers will report wrong SSL configuration. Nice update.

I have two servers running GitLab EE using HTTPS and they both upgraded to 9.4.5 normally and without issue.

Edit: Two Ubuntu 16.04 VMs, to be specific.

If you have time, try following command

openssl s_client -showcerts -connect your_host.your_domain:443

In my 3 installations (Centos) it fails to verify valid certificate.

I’m accessing my instance perfectly fine after updating to 9.4.5.

I am, however, proxying it via nginx.

What is the exact certificate error being given?


This is reply from gitlab instance:

Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: FFCED0B557DEC3465AFEA02DF2D52BF0DAFC937EE99E8D52F17D0B2C87D7513D
Master-Key: 50CF8B2738791465AFDCE12D85D09A9665C85775A633931E040A4157F4FC48958A4A38AC832DCAB9BA0C121F2248D08F
Key-Arg : None
Start Time: 1502882180
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

For the same certificate with Apache (just another port)

Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: A2010000EA1C7B93305E1B231BB68BDE01DA5B56EEAD19D2F2152451693C3101
Master-Key: 0FA76B2B95FA2C8C13A507BA63BA625BF1983C7A6FC6FCF341477A6EDDE19B26414D1994FEB44F2D6B69C32670E9B33D
Key-Arg : None
Start Time: 1502882400
Timeout : 300 (sec)
Verify return code: 0 (ok)

PS This is Comodo certificate, do you use self-signed?

I just tested that command and I also get “Verify return code: 21 (unable to verify the first certificate)” from both Gitlab-EE servers. The same cert on my Jenkins server returns “Verify return code: 0 (ok)”. I’m using a wildcard cert from GoDaddy at the moment.

Running “gitlab-rake gitlab:check” returns no errors and both GitLab servers are running normally and can be accessed in all browsers.

As for browsers it depends on which security level they are :unamused: Meanwhile gitlab.com itself returns Verify return code: 0 (ok), they run 9.5.0-rc4-ee.

The server might not be returning the entire certificate chain. If it’s publicly accessible, run an SSL Labs test on it and look at the Additional Certificates section. See if it complains about Chain issues.

Yes, you’re right, SSL Labs complains about chain issue and this what I’m talking from the beginning - it’s Gitlab bug, and very bad one, they failed to configure nginx properly, at least in omnibus edition. Just repeat - no problem with the same certificate on Apache (same SSL Labs tests find no problems).

Hello, Apache expects the intermediate certificates in a separate file, nginx wants the complete chain in one file, we only point gitlab to one file with all certificates up to the root CA’s one combined.

Thanks mfriedenhagen, I didn’t know that, now my Gitlab installations works fine. Would be nice to mention it in docs somewhere.