GitLab Cert Renewed - Jenkins SSL Cert Expired error

Hello,
Last week our Gitlab SSL Certificate expired, and I noticed that all of our Jenkins jobs were all failing due to the SSL Certificate Expired.
I followed the instructions and generated a new GitLab SAN certificate using OpenSSL and applied it to the GitLab Linux Server. I verified with Chrome, and other web browsers that when browsing to our https:// GitLab website, the certificate was showing as valid and no longer displaying a certificate expired error. Every thing looks all good, but a few days later we’ve noticed that the Jenkins jobs are still failing.
Every GIT project is showing this error:
fatal: unable to access ‘https://git.ourdomain.here/jenkins/’: SSL certificate problem: certificate has expired

Jenkins is installed on a Windows Server, and so I’m not sure what else should be done. We’ve tried restarting the jenkins service, rebooting the Windows server, but jobs fail every time they run with that error. I’ve seen posts saying that on the Linux version of Jenkins, “You need to update your /etc/ssl/certs/ca-certificates.crt with the new Gitlab server certificate”. I don’t see anything cert related on the Windows Jenkins install.
Other articles mention using Jenkins with a keystore, but I think that’s only if you want to run the Jenkins website with SSL, and we don’t. So there is nothing in the jenkins.xml file about a keystore.

I cannot figure out why the GitLab site with the new cert returns that error when Jenkins tries to connect to it.

GitLab Community Edition [12.1.6]

I figured out the solution. According to this URL:
https://docs.gitlab.com/ee/administration/troubleshooting/ssl.html#using-an-internal-ca-certificate-with-gitlab

Under the Unable to perform Git operations due to an internal or self-signed certificate section
It mentions the git config --global http.sslCAInfo configuration.
So I did a git config --list and found the location of our ca-bundle.crt file, which also had expired just last week.

Not only had our GitLab cert expired, but so did the CA Bundle (certificate chain).
The next issue was, I had issues exporting the Windows CA Certificate Chain and converting the P7B to CRT using OpenSSL.
I decided to export the Sub CA certificate as a CER, and then converted it from CER to CRT (OpenSSL).
I next exported the Root CA certificate as a CER, and also converted it from CER to CRT (OpenSSL).

Following instructions from this URL, I built my own bundle using the CRT files:
https://ssl4less.eu/faq/technical-questions/how-do-i-make-my-own-bundle-file-from-crt-files.html

So basically, I opened up both crt files within a text editor (Notepad++), copied the RootCA cert text, and pasted it into the IssuingCA cert at the very bottom and then saved the file. Worked like a charm.

Now Jenkins is properly working with GitLab again. What a crazy few days.

1 Like