Image registry setup issue (SSL)


I wanted to setup the Gitlab Omnibus Image registry on an on-premise system.

This is the config

  • Ubuntu 20.04
  • Gitlab 13.5.1

What I did until now

  1. Installed the certificates in /etc/gitlab/ssl (key + crt)
    The CRT contains what I think the chain of certificates (domain -> signing -> root = -> RapidSSL -> Digicert)

  2. First enabled ssl on the gitlab instance and reconfigured it

    Using the browser this works

Started to follow this procedure

  1. Set the registry_external_url ‘’ in gitlab rb to the correct domain (which is the same as the gitlab url but a different port = 5050)

  2. Reconfigured gitlab

  3. Executed the command to verify

openssl s_client -showcerts -servername -connect > cacert.pem

-> server addressed obviously replaced with the correct ones

Getting these errors:

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *
verify error:num=21:unable to verify the first certificate
verify return:1

So it looks like there’s something wrong with the chain of certificates. Any advice on how to resolve this?
Is it something on the OS level I need to change or did I chain the certs incorrectly?

Thanks in advance for any help, much appreciated!


I managed to resolve the issue, to help others with similar problems let me explain the issues

  1. My certificate chain was not correcct
  2. Beside reconfigure the gitlab instance I had also to restart it.

This article helped me in understanding and validating the certificate chain:


1 Like