Did you try this already?
I’ve already said that I added the ssl_version only afterwards, after getting the error, just to see if it works by specifying the tls version.
I see, thanks. I’m out of ideas but I’ll follow @FossCoder 's argument that the certificate chain is broken, and the .pem is missing to provide all certificates. Probably it is only providing one certificate, and not the CA certificates bundled inside. openssl verify
can help here.
Hi, I’m back with an Actual AD CA certificate
Now the problem that I’m having is that gitlab still has issues with the validity of the certificate and I’ve tested its openssl and compared it to that of the OS (which is Centos 7.9.2009).
The os openssl is OpenSSL 1.0.2k-fips 26 Jan 2017
The gitlab one is using, of course, a much newer one: OpenSSL 1.1.1t 7 Feb 2023
.
The OS version works without any problems, but the gitlab one fails to verify the certificate. This is the command I’m running to test it:
echo | /opt/gitlab/embedded/bin/openssl s_client -connect dc1.company.com:636 | /opt/gitlab/embedded/bin/openssl x509 -text -noout
And this is the error I’m getting:
depth=0 CN = DC1.COMPANY.COM
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC1.COMPANY.COM
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = DC1.COMPANY.COM
verify return:1
I’m running the exact same command but with the OS openssl without any issues.
Could it be that gitlab might be looking at some other CA lists and maybe I’d need to add the CA somewhere else than under /etc/pki/ca-trust/source/anchors/
and run update-ca-trust
?
Ok, it eventually worked by adding the certificate to /etc/gitlab/trusted-certs
and doing to a gitlab-ctl reconfigure
. Thank you all for your help.