Hi,
we try to connect GitLab and Jira following the documentation [1]. Both have self-signed certificates (let’s encrypt or others are not possible unfortunately). We added the certificate from GitLab to the trust store on the Jira server which works. Then we followed the ssl guide [2] to add the certificate from Jira to GitLab but every time we commit with a Jira issue we see this in integrations_json.log:
{"severity":"ERROR","time":"2020-01-23T12:32:09.553Z","correlation_id":"b36bbe11-10a9-44f0-94ed-ec4009cfb368","service_class":"JiraService","project_id":30,"project_path":"test/jira","message":"Error sending message","client_url":"https://jira-test.intranet","error":"SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)"}
We put the whole chain (root certificate, the intermediate certificate and the host certificate) as individual .der files into /etc/gitlab/trusted-certs and checked if they are valid with
openssl x509 -inform DER -in /etc/gitlab/trusted-certs/example.der -text -noout
We checked /opt/gitlab/embedded/ssl/certs and deleted the trusted certificate directory hash:
rm /var/opt/gitlab/trusted-certs-directory-hash
We checked that the certificates do not contain the string TRUSTED.
We checked that perl is available and c_rehash works.
When we run gitlab-ctl reconfigure we don’t get any error or skipped messages but it won’t create any symlinks in /opt/gitlab/embedded/ssl/certs
Just to see if it would help we created the symlinks to the certificates manually with ln -s but when we commit we still get the error in the integration-log and no comments in Jira.
Is there something else we can do? Have we missed something?
Is it possible to configure GitLab to just ignore SSL certification warnings and continue with the integration?
Here the output when we check the certificate and run c_rehash and find that no error occured but no symlink was created:
root@gitlab:/etc/gitlab/trusted-certs# ls -la
total 12
drwxr-xr-x 2 root root 4096 Jan 23 15:40 .
drwxrwxr-x 4 root root 4096 Jan 23 12:30 ..
-rw-r--r-- 1 root root 2001 Jan 23 10:11 dettjira-test.der
root@gitlab:/etc/gitlab/trusted-certs# openssl x509 -inform DER -in dettjira-test.der
-----BEGIN CERTIFICATE-----
MIIHzTCCBbWgAwIBAgITUQAAGdkNTWhIFudapAABAAAZ2TANBgkqhkiG9w0BAQsF
ADBVMRMwEQYKCZImiZPyLGQBGRYDaWZtMRUwEwYKCZImiZPyLGQBGRYFaW50cmEx
JzAlBgNVBAMTHmlmbSBlbGVjdHJvbmljIGdtYmggSUNBMDEgLSBHMjAeFw0xOTA0
-snip-
3CDNnBYOjMUx14t/y6ACoEFkhFV4cHcrZLwPPeRfsnWSq7Kd+1+M5MrW5/qibb2o
eopRBPBH1RL0Uld2uYI7gpWXjQBL9rixT7B96BDT+Er8le2OdbgYd75RcZNisGdL
4xE4c6YD9qqLkDYveai8ZMIvgcdlxt85RrdoQ7FglUYu9CJfCTP4z5cg59YTren8
28XuApfu7aYAifJmEXQxv8rKXuZr3xs5pS9yvh9bP8ZH
-----END CERTIFICATE-----
root@gitlab:/etc/gitlab/trusted-certs# /opt/gitlab/embedded/bin/c_rehash /etc/gitlab/trusted-certs
Doing /etc/gitlab/trusted-certs
root@gitlab:/etc/gitlab/trusted-certs# ls -l /opt/gitlab/embedded/ssl/certs/
total 224
-rw-r--r-- 1 root root 147 Dec 9 14:23 README
-rw-r--r-- 1 root root 221488 Dec 3 12:13 cacert.pem
root@gitlab:/etc/gitlab/trusted-certs#
[1] https://docs.gitlab.com/ee/user/project/integrations/jira.html
[2] https://docs.gitlab.com/omnibus/settings/ssl.html#connecting-to-external-resources