Convert from self-signed cert to wildcard cert not working

How to Use GitLab System Administration
1

Followed this: https://docs.gitlab.com/omnibus/settings/ssl.html

Many times in fact; however gitlab always provides the browser with the previous self-signed cert…

cert appears in the right place with link:

root@fsgit:/opt/gitlab/embedded/ssl/certs# ls -al /opt/gitlab/embedded/ssl/certs
total 12
drwxr-xr-x 2 root root 4096 Sep  5 10:52 .
drwxr-xr-x 4 root root 4096 Sep  5 10:52 ..
lrwxrwxrwx 1 root root   57 Sep  5 10:52 616b9e4b.0 -> /etc/gitlab/trusted-certs/lab_xxx_com.pem
-rw-r--r-- 1 root root  147 Sep  5 10:52 README


root@fsgit:/etc/gitlab/trusted-certs# ls -al /etc/gitlab/trusted-certs
total 12
drwxr-xr-x 2 root root 4096 Sep  5 10:52 .
drwxrwxr-x 4 root root 4096 Sep  5 10:30 ..
lrwxrwxrwx 1 root root   31 Sep  5 10:52 616b9e4b.0 -> lab_xxx_com.pem
-rwxr-xr-x 1 root root 1968 Sep  5 10:12 lab_xxx_com.pem

Relevant Chef run:

oot@fsgit:/opt/gitlab/embedded/ssl/certs# gitlab-ctl reconfigure
Starting Chef Client, version 12.12.15
resolving cookbooks for run list: ["gitlab"]
Synchronizing Cookbooks:
  - runit (0.14.2)
  - package (0.0.0)
  - gitlab (0.0.1)
Installing Cookbook Gems:
Compiling Cookbooks...
Recipe: gitlab::default
...

Recipe: gitlab::add_trusted_certs
  * directory[/etc/gitlab/trusted-certs] action create (up to date)
  * directory[/opt/gitlab/embedded/ssl/certs] action create (up to date)
  * file[/opt/gitlab/embedded/ssl/certs/README] action create (up to date)
  * ruby_block[Move existing certs and link to /opt/gitlab/embedded/ssl/certs] action run (skipped due to only_if)

And the pem file appears valid:

root@fsgit:/etc/gitlab/trusted-certs# /opt/gitlab/embedded/bin/openssl x509 -in /etc/gitlab/trusted-certs/lab_xxx_com.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f9:3a:ad:bf:51:3b:14:89:c2:a2:a6:88:28:1b:8c:57
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
        Validity
            Not Before: Jun  7 00:00:00 2016 GMT
            Not After : Jun  7 23:59:59 2018 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.lab.forescoutuniversity.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
...
                    
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

            X509v3 Subject Key Identifier: 
                6E:8F:04:9C:C5:C5:F7:0E:4C:ED:94:98:F6:48:07:32:96:A9:00:24
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name: 
                DNS:*.lab.xxx.com, DNS:lab.xxx.com
    Signature Algorithm: sha256WithRSAEncryption
...