Convert from self-signed cert to wildcard cert not working

Followed this:

Many times in fact; however gitlab always provides the browser with the previous self-signed cert…

cert appears in the right place with link:

root@fsgit:/opt/gitlab/embedded/ssl/certs# ls -al /opt/gitlab/embedded/ssl/certs
total 12
drwxr-xr-x 2 root root 4096 Sep  5 10:52 .
drwxr-xr-x 4 root root 4096 Sep  5 10:52 ..
lrwxrwxrwx 1 root root   57 Sep  5 10:52 616b9e4b.0 -> /etc/gitlab/trusted-certs/lab_xxx_com.pem
-rw-r--r-- 1 root root  147 Sep  5 10:52 README

root@fsgit:/etc/gitlab/trusted-certs# ls -al /etc/gitlab/trusted-certs
total 12
drwxr-xr-x 2 root root 4096 Sep  5 10:52 .
drwxrwxr-x 4 root root 4096 Sep  5 10:30 ..
lrwxrwxrwx 1 root root   31 Sep  5 10:52 616b9e4b.0 -> lab_xxx_com.pem
-rwxr-xr-x 1 root root 1968 Sep  5 10:12 lab_xxx_com.pem

Relevant Chef run:

oot@fsgit:/opt/gitlab/embedded/ssl/certs# gitlab-ctl reconfigure
Starting Chef Client, version 12.12.15
resolving cookbooks for run list: ["gitlab"]
Synchronizing Cookbooks:
  - runit (0.14.2)
  - package (0.0.0)
  - gitlab (0.0.1)
Installing Cookbook Gems:
Compiling Cookbooks...
Recipe: gitlab::default

Recipe: gitlab::add_trusted_certs
  * directory[/etc/gitlab/trusted-certs] action create (up to date)
  * directory[/opt/gitlab/embedded/ssl/certs] action create (up to date)
  * file[/opt/gitlab/embedded/ssl/certs/README] action create (up to date)
  * ruby_block[Move existing certs and link to /opt/gitlab/embedded/ssl/certs] action run (skipped due to only_if)

And the pem file appears valid:

root@fsgit:/etc/gitlab/trusted-certs# /opt/gitlab/embedded/bin/openssl x509 -in /etc/gitlab/trusted-certs/lab_xxx_com.pem -text -noout
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
            Not Before: Jun  7 00:00:00 2016 GMT
            Not After : Jun  7 23:59:59 2018 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 

            X509v3 Subject Key Identifier: 
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 

            X509v3 CRL Distribution Points: 

                Full Name:

            Authority Information Access: 
                CA Issuers - URI:
                OCSP - URI:

            X509v3 Subject Alternative Name: 
    Signature Algorithm: sha256WithRSAEncryption