GitLab SSL - Push & Fetch

Hi Guys,

Ive configured GitLab to work with SSL certificate signed by StartSSL. TLSV1. by this manual

Website working fine with HTTPS and fetch working ok.
The issue start when i try to use push command.
when i try to use push i get this error:

git push
Writing objects: 100% (3/3), 237 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: /opt/gitlab/embedded/service/gitlab-shell/lib/gitlab_net.rb:128:in add_file': system lib (OpenSSL::X509::StoreError)** remote: from /opt/gitlab/embedded/service/gitlab-shell/lib/gitlab_net.rb:128:in cert_store’
remote: from /opt/gitlab/embedded/service/gitlab-shell/lib/gitlab_net.rb:70:in http_client_for' remote: from /opt/gitlab/embedded/service/gitlab-shell/lib/gitlab_net.rb:95:in request’
remote: from /opt/gitlab/embedded/service/gitlab-shell/lib/gitlab_net.rb:119:in post' remote: from /opt/gitlab/embedded/service/gitlab-shell/lib/gitlab_net.rb:31:in check_access’
remote: from /opt/gitlab/embedded/service/gitlab-shell/lib/gitlab_access.rb:23:in exec' remote: from hooks/pre-receive:17:in
To https://gitlab./vitaly/dummy.git
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'https://gitlab.
/vitaly/dummy.git’

any thoughts?

looks like ssl certification failure.
are you done this step if you use slef signed cret?

In the config.yml of gitlab-shell set self_signed_cert to true

if not this case, there’v another bad way, just modify gitlab-shell/hooks/pre-receive, change code exit 1 to exit 0 to pass validata

Hello. How setup https for git-shell with certificate from godaddy. I have 3 files (for other servers):
mydomain.key, d281a51f47fbb17d.crt, gd_bundle-g2-g1.crt. How I must modify those certs and configure /home/git/gitlab-shell/config.yml for resolve:

  Administrator / test1 ... repository is empty
    test1 / Test1Project1 ... repository is empty
    Running /home/git/gitlab-shell/bin/check
    Check GitLab API access: /home/git/gitlab-shell/lib/gitlab_net.rb:128:in `add_file': system lib (OpenSSL::X509::StoreError)
            from /home/git/gitlab-shell/lib/gitlab_net.rb:128:in `cert_store'
            from /home/git/gitlab-shell/lib/gitlab_net.rb:70:in `http_client_for'
            from /home/git/gitlab-shell/lib/gitlab_net.rb:95:in `request'
            from /home/git/gitlab-shell/lib/gitlab_net.rb:115:in `get'
            from /home/git/gitlab-shell/lib/gitlab_net.rb:52:in `check'
            from /home/git/gitlab-shell/bin/check:12:in `<main>'
    gitlab-shell self-check failed
      Try fixing it:
      Make sure GitLab is running;
      Check the gitlab-shell configuration file:
      sudo -u git -H editor /home/git/gitlab-shell/config.yml
      Please fix the error above and rerun the checks.

I don’t know how right insert my certs to config. All manuals describe how setup gitlab with pem keys
Now /home/git/gitlab-shell/config.yml:

---
user: git
gitlab_url: https://repository.mydomain.com/
http_settings:
  ca_file: /etc/ssl/private/mydomain.com.chained.crt # cat d281a51f47fbb17d.crt gd_bundle-g2-g1.crt > d281a51f47fbb17d.crt, gd_bundle-g2-g1.crt
  ca_path: /etc/ssl/private/
  self_signed_cert: true
repos_path: "/home/git/repositories/"
auth_file: "/home/git/.ssh/authorized_keys"
redis:
  bin: "/usr/bin/redis-cli"
  namespace: resque:gitlab
  socket: "/var/run/redis/redis.sock"
#log_level: INFO
log_level: DEBUG
audit_usernames: false

I faced the same problem and I resolved it in the following easy way:

  1. run ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' - this will show you default OpenSSL certs path. In my case it is /usr/lib/ssl/cert.pem
  2. go to the directory above and put an appropriate PEM file with trusted root CA certificates (you can grab it from http://curl.haxx.se/docs/caextract.html)
  3. Do sudo -u git -H editor /home/git/gitlab-shell/config.yml and comment out ca_file and ca_path lines, make sure that self_signed_cert: false
  4. sudo service gitlab restart, then check it via sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production - everything should be fine.