9.4.5 update destroys https access - SOLVED

sku406 · August 15, 2017, 5:49am

Do not update to 9.4.5 - you wil lose access to your Gitlab installation, any web browsers will report wrong SSL configuration. Nice update.

G3m1n1 · August 16, 2017, 3:28am

I have two servers running GitLab EE using HTTPS and they both upgraded to 9.4.5 normally and without issue.

Edit: Two Ubuntu 16.04 VMs, to be specific.

sku406 · August 16, 2017, 5:09am

If you have time, try following command

openssl s_client -showcerts -connect your_host.your_domain:443

In my 3 installations (Centos) it fails to verify valid certificate.

Liam · August 16, 2017, 11:05am

I’m accessing my instance perfectly fine after updating to 9.4.5.

I am, however, proxying it via nginx.

What is the exact certificate error being given?

Liam

sku406 · August 16, 2017, 11:20am

This is reply from gitlab instance:

SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: FFCED0B557DEC3465AFEA02DF2D52BF0DAFC937EE99E8D52F17D0B2C87D7513D
Session-ID-ctx:
Master-Key: 50CF8B2738791465AFDCE12D85D09A9665C85775A633931E040A4157F4FC48958A4A38AC832DCAB9BA0C121F2248D08F
Key-Arg : None
Start Time: 1502882180
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

For the same certificate with Apache (just another port)

SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: A2010000EA1C7B93305E1B231BB68BDE01DA5B56EEAD19D2F2152451693C3101
Session-ID-ctx:
Master-Key: 0FA76B2B95FA2C8C13A507BA63BA625BF1983C7A6FC6FCF341477A6EDDE19B26414D1994FEB44F2D6B69C32670E9B33D
Key-Arg : None
Start Time: 1502882400
Timeout : 300 (sec)
Verify return code: 0 (ok)

PS This is Comodo certificate, do you use self-signed?

G3m1n1 · August 17, 2017, 2:30pm

I just tested that command and I also get “Verify return code: 21 (unable to verify the first certificate)” from both Gitlab-EE servers. The same cert on my Jenkins server returns “Verify return code: 0 (ok)”. I’m using a wildcard cert from GoDaddy at the moment.

Running “gitlab-rake gitlab:check” returns no errors and both GitLab servers are running normally and can be accessed in all browsers.

sku406 · August 17, 2017, 2:47pm

As for browsers it depends on which security level they are Meanwhile gitlab.com itself returns Verify return code: 0 (ok), they run 9.5.0-rc4-ee.

ryan · August 18, 2017, 4:11pm

The server might not be returning the entire certificate chain. If it’s publicly accessible, run an SSL Labs test on it and look at the Additional Certificates section. See if it complains about Chain issues.

sku406 · August 18, 2017, 5:56pm

Yes, you’re right, SSL Labs complains about chain issue and this what I’m talking from the beginning - it’s Gitlab bug, and very bad one, they failed to configure nginx properly, at least in omnibus edition. Just repeat - no problem with the same certificate on Apache (same SSL Labs tests find no problems).

mfriedenhagen · August 19, 2017, 8:16am

Hello, Apache expects the intermediate certificates in a separate file, nginx wants the complete chain in one file, we only point gitlab to one file with all certificates up to the root CA’s one combined.

sku406 · August 19, 2017, 9:43am

Thanks mfriedenhagen, I didn’t know that, now my Gitlab installations works fine. Would be nice to mention it in docs somewhere.