Gitlab uses wrong SSL cert and I'm not even sure where it is!

Hi all, new to the forum. I’ve been running a Gitlab instance mostly trouble-free since about November 2021. I have several other sites which I host from a single WAN IP at my home, so I chose to run GitLab with SSL but on an alternate port number. I have the correct external url and port specified in gitlab.rb, and everything worked until the end of February, when apparently a certificate…somewhere on the system expired.

The old certificate is a wildcard certificate for my domain (*, while the new one is specific to the subdomain for gitlab ( I’ve been working through the ssl documentation page, which told me to put the new certificate I generated on my primary webserver in the /etc/gitlab/trusted_certs/ folder, naming the file as something like “”. I did this, the permissions are root:root, and I ran gitlab-ctl reconfigure, which didn’t throw any errors. I see the crt is now symlinked to another location, and all appears to be well, but I still get errors indicating that my wildcard certificate (NOT the one that is currently configured in gitlab) is expired.

Additionally, going through the troubleshooting steps, when I run

echo | /opt/gitlab/embedded/bin/openssl s_client -connect

the command just times out. However, if I test the certificate using

/opt/gitlab/embedded/bin/openssl x509 -text -noout

I see the correct certificate.

So how do I find this wildcard certificate and delete it? Could it be that nginx is getting in the middle and causing issues? I can’t remember how I initially got all this working, as I don’t think I actually had a certificate in /etc/gitlab/trusted_certs before. I’m pretty sure I just found the wildcard certificate on my primary server and rsync’d it over to some location to get things up and running.