Cannot clone via https with error server certificate verification failed

Hi,

I have a fresh install of GitLab Community Edition 8.13.0 up and running. I added SSL to it but am not able to clone any project via https. Here is my try:

$ GIT_CURL_VERBOSE=1 git clone https://www.mydomain.de/muster/project.example.git test
Klone nach 'test' ...
* Couldn't find host www.mydomain.de in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying aaa.bbb.ccc.ddd...
* Connected to www.mydomain.de (aaa.bbb.ccc.ddd) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
fatal: unable to access 'https://www.mydomain.de/muster/project.example.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I used these docs to install the SSL certificates:
https://docs.gitlab.com/omnibus/settings/nginx.html#enable-https

Any help is really appreciated!

Thanks and best regards,

Ralf

1 Like

Just another hint. I did not add the intermediate crt file yet. Currently, I only have:

$ ls -al /etc/gitlab/ssl/
total 16
drwx------ 2 root root 4096 Okt 23 07:37 .
drwxrwxr-x 4 root root 4096 Okt 23 08:26 ..
-rw-r--r-- 1 root root 1988 Okt 23 07:37 www.mydomain.de.crt
-rw-r--r-- 1 root root 1679 Okt 23 07:37 www.mydomain.de.key

How should that be named?

Thanks,

Ralf

Do you get certificate errors in your web browser when you visit the site?

Can you check the site with SSLLabs checker (or similar) to see if there are any SSL certificate problems?

Not having intermediates could cause this problem.

Nginx does not use a separate file for the intermediate certificate(s). Instead, you concatenate the site certificate and the intermediates into a single file. For example, here are instructions from one certificate provider (see step 3).

Hi,

thanks for your reply. When I concatenate the two files, then nginx cannot be restarted. So it does not work.

The SSLLabs checker shows a B rating and prints

This server’s certificate chain is incomplete. Grade capped to B.

Could that be the problem?

Thanks, Ralf

Wait. I added a new line between the two concatenated certificates and now it works. Get an A+ now for the SSLLabs checker as well. So problem solved! Thanks a lot!

Thanks and best regards,

Ralf