Hi,
Unfortunately this isn’t a good idea for production, from a security standpoint.
Out of curiosity, did you run update-ca-certificates after copying the ca_file certificate there? Might have an impact how this is treated by the OS making it globally available.
Also, this path seems to coming from Debian/Ubuntu - can you share your OS details?
$ cat /etc/os-release
Another thing you can test is with removing the ssl_version key in the LDAP YAML config, and see what happens. Maybe the pinning does not work reliably. Typically server and client negotiate on the best version.
Another guess of mine - symlinks might not be followed when reading certificate paths. Therefore I’d recommend the following steps for a self-signed certificate and CA:
$ cp /usr/local/share/ca-certificates/dc1_cert.pem /etc/gitlab/trusted-certs/
$ gitlab-ctl reconfigure
Following this topic, Perl might be a requirement for above steps. Ubuntu gitlab-ee-omnibus ssl ldap certificate verify failed - #3 by itkroplis
Cheers,
Michael