'Certificate verify failed' when setting up Kubernetes integration using a self-signed certificate

Hi all,
We have an instance of Gitlab running in a kubernetes cluster in AWS. In lieu of real SSL certificates I’ve generated new CAs, certificates and keys for both kubernetes and Gitlab. I’m trying to configure Gitlab - Kubernetes integration as described on this page: https://docs.gitlab.com/ce/user/project/integrations/kubernetes.html

I’ve created a service account in kubernetes called ‘gitlab’. I’ve copied the value for ‘token’ from the kubernetes dashboard and pasted it into the ‘Service token’ field in Gitlab, and copied the ‘ca.crt’ value from the dashboard and pasted it into the ‘Custom CA Bundle’ field in Gitlab. I save the settings and then click ‘Test Settings’ and this is the response I see:

Certificate verify failed

I then found this page: https://docs.gitlab.com/omnibus/common_installation_problems/README.html#install-custom-certificate-authorities
It suggests placing your kubernetes CA file into the /etc/gitlab/trusted-certs path on your Gitlab server and restarting. I’ve done this and confirmed my kubernetes CA .pem file is symlinked in /opt/gitlab/embedded/ssl/certs. I still see the message above.

I don’t see any messaging in either my gitlab or kubernetes logs about any requests attempted from Gitlab to Kubernetes. It’s not clear whether it’s the Gitlab cert or the Kubernetes cert which is not verifying as both are self-signed.

In the second page I linked above there is also a note about self-signed certificates which prescribes setting self_signed_cert: true in the gitlab config. However looking at the line in the gitlab.rb template:

# gitlab_shell['http_settings'] = { user: 'username', password: 'password', ca_file: '/etc/ssl/cert.pem', ca_path: '/etc/pki/tls/certs', self_signed_cert: false}

It seems to me this is specific to gitlab-shell and wouldn’t affect kubernetes integration. If anything this relates to the Gitlab CA file. There is no /etc/ssl/cert.pem file nor a /etc/pki/tls/certs path on the Gitlab server so I’d need to update those paths I think. Is this a red herring? If not what values should I provide? Should I copy the gitlab and kubernetes certificates to the /etc/ssl/certs path on the gitlab server?

Any help with the above would be greatly appreciated!

1 Like


I had a similar issue and posted the way I found to retrieve both, the token and the ca.crt.

The relevant answer on the forum is here or here in stackoverflow.

According to the official documentation, the API URL is only https://hostname:port without trailing slash.