After ssl cert replacement unable to reach gitlab page

To start off, I’m not experienced with gitlab or linux system administration so please understand I’m doing the best I can. We have a server running the community edition and serving it up at “gitlab.companywebsite .com”. The SSL cert expired, and in attempting to replace it, I’ve gotten to the point where the website is no longer reachable.

I’ve rebooted the server and confirmed the services like ngnix are up and running. What can I try next to troubleshoot this? If you need any logs or additional information I would be happy to provide them,

Thank you!

Hi,

Can you please explain the steps you followed in your attempt to replace it? That will help potentially identify if something was done incorrectly.

Normally though, if you are using a commercial certificate, eg one that your purchased, you would normally put this in /etc/gitlab/ssl directory. The certificate file would be named gitlab.companywebsite.com.crt and the key would be gitlab.companywebsite.com.key. The crt file would be the cert + rootca + intermediate in that one file (not separate). No changes would have been needed in gitlab.rb if just replacing the old cert.

Anyway, please confirm if you did it like I wrote, or something different so we can help what to do next. Also consult /var/log/gitlab/error.log or /var/log/gitlab/gitlab_error.log files as this might also hint if something is incorrectly configured.

Hello! Yes, I downloaded our cert, and placed it in the /etc/gitlab/ssl directory as well as the key file and combined cert file. They are named correctly as you indicated. I then ran sudo gitlab-ctl hup nginx registry as indicated here: NGINX settings | GitLab

When that did not work I rebooted the server, and checked the service status to confirm everything was running.

I will go check the log files you mentioned to see if there’s anything useful mentioned.

Thank you!

I cannot find any log files in the /var/log/gitlab/ directory you mentioned:

Should I be looking somewhere else?

Normally doing:

gitlab-ctl restart

might have been enough, alternatively:

gitlab-ctl reconfigure

you have /var/log/gitlab/nginx in that screenshot above (my bad I missed nginx from my post), there will be error logs in there that you can check, but try the steps above for restarting gitlab completely or using the reconfigure.

I’ve run those commands with no noticeable effect. Trying to access the /var/log/gitlab/nginx/ directory gives me an access denied error, and if I utilize sudo it just leaves me in the gitlab folder.

Ideas? :slight_smile:

Try doing:

sudo su

to get to the root user, and then change to that directory. Then you will be able to view the files.

That worked! In error.log it seems to be repeating the following:

2022/02/04 12:41:03 [emerg] 30667#0: SSL_CTX_use_PrivateKey_file("/etc/gitlab/ssl/gitlab.companyname.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Does this mean the private key does not match the public key specified by the cert?

Could well be yes that its the wrong key for the certificate

Hey, I’ve been trying to get this work the past few days but nothing yet. Do you know the proper procedure for generating a new key and CSR on the gitlab server? I must be doing it wrong.

This is not unique to Gitlab, it’s the same be generating for Apache, Nginx, or other web stuff.

you have two methods there, for generating RSA or ECDSA, either are fine, but less problematic are RSA certs to be honest, especially if you don’t want to be messing around with Nginx Cipher configuration to ensure that the ECDSA work properly.

1 Like