LDAP::Error: SSL_connect - certficate verify failed

For the life of me, I can’t find my problem. I could use a sanity check to see if I am missing something.

I am connecting gitlab-ce to an AD box over ldap. The AD box contains our CA and Sub-CA. I have imported the certs for both into /etc/gitlab/trusted-certs. Here are some files and various outputs (changed some info to preserve private information):

NOTE: secure ldap searches over 636 return with success (actual ldap search command removed to sanitize):

# search result
search: 2
result: 0 Success
# numResponses: 1

Error on the webpage when trying to login with AD user

Could not authenticate you from Ldapmain because "Ssl connect returned=1 errno=0 state=error: certificate verify failed".

gitlab-rake gitlab:ldap:check

Checking LDAP ...

Server: ldapmain
rake aborted!
Net::LDAP::Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/adapter.rb:11:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:355:in `block in check_ldap'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:351:in `each'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:351:in `check_ldap'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:340:in `block (3 levels) in <top (required)>'
/opt/gitlab/embedded/bin/bundle:23:in `load'
/opt/gitlab/embedded/bin/bundle:23:in `<main>'
Tasks: TOP => gitlab:ldap:check
(See full trace by running task with --trace)


external_url 'https://gitlab.myco.com'
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_host'] = 'dc1.myco.com'
gitlab_rails['ldap_port'] = '636'
gitlab_rails['ldap_uid'] = 'sAMAccountName'
gitlab_rails['ldap_method'] = 'ssl'
gitlab_rails['ldap_bind_dn'] = 'CN=MyUser,OU=MyOU,DC=myco,DC=com'
gitlab_rails['ldap_password'] = 'MySecret'
gitlab_rails['ldap_allow_username_or_email_login'] = 'true'
gitlab_rails['ldap_base'] = 'DC=myco,DC=com'
gitlab_rails['ldap_active_directory'] = 'true'
gitlab_rails['ldap_group_sync_worker_cron'] = "0 7 1 * *"
gitlab_rails['trusted_certs'] = '/root/src/gitlab/certs'
gitlab_rails['env'] = {"SSL_CERT_DIR" => "/root/src/gitlab/certs/'"}
unicorn['worker_timeout'] = 120
unicorn['worker_processes'] = 5
nginx['enable'] = true
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.cer"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key"
nginx['ssl_protocols'] = "TLSv1.2"
letsencrypt['contact_emails'] = ['admin@myco.com'] # Optional
letsencrypt['enable'] = false

Contents of /etc/gitlab/trusted-certs

lrwxrwxrwx 1 root root   22 Jun 20 15:30 5e2b517b.0 -> IssuingCA-MYSUBCA.cer
lrwxrwxrwx 1 root root   14 Jun 20 15:30 a0fa321b.0 -> MYRoot-CA.cer
-rwxr-xr-x 1 root root 2032 Dec 30  2015 IssuingCA-MYSUBCA.cer
-rwxr-xr-x 1 root root 1178 Dec 30  2015 MYRoot-CA.cer

openssl s_client -verify 2 -connect dc1.myco.com:636

I admit I don’t know what I am looking for here, but it looks good as near as I can tell

verify depth is 2
depth=2 CN = MYRoot-CA
verify return:1
depth=1 DC = com, DC = myco, CN = IssuingCA-MYSUBCA
verify return:1
verify return:1
Certificate chain
 0 s:
 1 s:/DC=com/DC=myco/CN=IssuingCA-MYSUBCA
Server certificate
MII . . . . . more cert info here . . . . 
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 3601 bytes and written 483 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 3C3000003E359E1F506CCCB8F8C480318345676C7F66591C360AF1645FB2BD9E
    Master-Key: 79DFD05B9AA85651B4B4BFB63B6100123B122FE03B1BF1B07A2713513969EFD95E0B6BD334B3905D95B2BAB480E46A21
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1529533884
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

I moved to insecure LDAP because I was tired of messing with this.

IIRC openssl uses a different certificate verify method than the LDAP connection itself does.

I disabled my ssl_verify because I was sick of looking at it. Only a few people use the system anyway.

Hello everybody,

I am facing the same issue.
Upgrade from 10.7.3 to 10.8.0 (Omnibus on Ubuntu).

Where exactly did you disable this?