Add a CRL for ssl client certificates

lso · October 16, 2020, 2:56pm

Hi,
I would like to use a CRL for my client certificates (internal CA), how to do it please ? (is there a var in gitlab.rb to use ?)
=> My CRL is available on a server, so how could I update it, every day for example ? (cron to pull it?)

Thanks for your help,
Pierre

_WP · October 20, 2020, 6:15am

GitLab didn’t take care to include that part of NGINX var, but you can easy-lish add a custom parameter with this.

gitlab.com

gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#inserting-custom-nginx-settings-into-the-gitlab-server-block

---
stage: Enablement
group: Distribution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
---

# NGINX settings

## Service-specific NGINX settings

Users can configure NGINX settings differently for different services via
`gitlab.rb`. Settings for the GitLab Rails application can be configured using the
`nginx['<some setting>']` keys. There are similar keys for other services like
`pages_nginx`, `mattermost_nginx` and `registry_nginx`. All the configurations
available for `nginx` are also available for these `<service_nginx>` settings and
share the same default values as GitLab NGINX.

If modifying via `gitlab.rb`, users have to configure NGINX setting for each
service separately. Settings given via `nginx['foo']` WILL NOT be replicated to
service specific NGINX configuration (as `registry_nginx['foo']` or

This file has been truncated. show original

Personally I’d use systemd path to push it from the server to GitLab when there is a change in the CRL.

lso · October 20, 2020, 9:12am

Ok thanks I will try that

_WP · November 19, 2020, 3:18pm

your point, the 7 Best Soundbars Under 200$ seeming related to the answer I gave I did not go into detail regarding pushing or pulling a CRL file. (still wont)

The problem with client certificates in GitLab is that you can set one up,
but you cant define a CRL by default.
Using custom-nginx-setting you can add the ssl_crl directive.