Hi, I’m not sure I chose the right forum but I’m running into an issue with GitLab not applying the SSL certs I specified in my config file. I have the following NGINX parameters set:
################
# GitLab Nginx #
################
## see: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/<redacted>/doc/settings/nginx.md
nginx['enable'] = true
nginx['listen_addresses'] = ['redacted']
# nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
# nginx['redirect_http_to_https_port'] = 443
# nginx['ssl_client_certificate'] = '/etc/gitlab/ssl/chained.crt'
nginx['ssl_certificate'] = "/etc/letsencrypt/certs/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/certs/privkey.pem"
# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
# nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
# nginx['listen_addresses'] = ['*']
# nginx['listen_port'] = 80 # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#settin
g-the-nginx-listen-port
# nginx['listen_https'] = false # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/ma
ster/doc/settings/nginx.md#supporting-proxied-ssl
# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
# nginx['proxy_read_timeout'] = 300
# nginx['proxy_connect_timeout'] = 300
None of the SSL parameters in this config file work and I have to rely on a fully chained cert file in the /etc/gitlab/trusted-certs/ folder to make the SSL work. If I try to update this chained cert file, I get an issue stating the private keys in my /etc/gitlab/ssl folder are invalid. I’m not sure what takes precedence here. The certs in these folders or the options in my config file. I see a number of potential solutions however since I’m on GitLab 11.10, I’m not sure the other solutions running older GitLab versions would work. Is there anything here I should try or do next?
PS: Yes the certs specified in my config file are in a valid (customized) location I created, so that shouldn’t be an issue.