Hi all, new to the forum. I’ve been running a Gitlab instance mostly trouble-free since about November 2021. I have several other sites which I host from a single WAN IP at my home, so I chose to run GitLab with SSL but on an alternate port number. I have the correct external url and port specified in gitlab.rb, and everything worked until the end of February, when apparently a certificate…somewhere on the system expired.
The old certificate is a wildcard certificate for my domain (*.example.com), while the new one is specific to the subdomain for gitlab (gitlab.example.com). I’ve been working through the ssl documentation page, which told me to put the new certificate I generated on my primary webserver in the /etc/gitlab/trusted_certs/ folder, naming the file as something like “gitlab.example.com.crt”. I did this, the permissions are root:root, and I ran gitlab-ctl reconfigure, which didn’t throw any errors. I see the crt is now symlinked to another location, and all appears to be well, but I still get errors indicating that my wildcard certificate (NOT the one that is currently configured in gitlab) is expired.
Additionally, going through the troubleshooting steps, when I run
echo | /opt/gitlab/embedded/bin/openssl s_client -connect gitlab.example.com:8443
the command just times out. However, if I test the certificate using
/opt/gitlab/embedded/bin/openssl x509 -text -noout
I see the correct certificate.
So how do I find this wildcard certificate and delete it? Could it be that nginx is getting in the middle and causing issues? I can’t remember how I initially got all this working, as I don’t think I actually had a certificate in /etc/gitlab/trusted_certs before. I’m pretty sure I just found the wildcard certificate on my primary server and rsync’d it over to some location to get things up and running.