Problem while removing projects

How to Use GitLab
1

Hello,

During the last gitlab update from the version 9.4.6 to 10.1.1 we have problem with SSL validation while removing projects.

But let’s start from the beginning. After the updating, LDAP authentication stopped works correctly and login attempt ended with communication:
SSL_connect returned=1 errno=0 state=error: certificate verify failed

Ok, that is fine. We fixed this problem by adding option: “verify_certificates: false” in configuration file. Yes, I know. It doesn’t solve the main problem but login started works like before.
Two days later, we tried to remove one of the existing project and following information has surprised us:
This project was scheduled for deletion, but failed with the following message: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Current settings:
GitLab 10.1.1
GitLab Shell 5.9.3
GitLab Workhorse v3.2.0
GitLab API v4
Gitaly 0.43.1
Git 2.13.6
Ruby 2.3.5p376
Rails 4.2.8
postgresql 9.6.5

We also use external nginx ( as reverse proxy ) where SSL works correctly.

So my question is, if gitlab with external nginx needs any SSL for his purposed? How I can debug where is a problem?

Thank you in advance for your opinion and help.

2

@witcher Please could you provide some more information about the environment where you have noticed the problem:

  • Run a diagnostic check of GitLab and it’s components:
sudo gitlab-rake gitlab:check
  • Gather GitLab specific environment information:
sudo gitlab-rake gitlab:env:info

Thanks!

3

Hi @markglenfletcher, Thank you for your answer. Here you have all information ( few lines a had to remove because of company policy )

gitlab-rake gitlab:check
Checking GitLab Shell ...

GitLab Shell version >= 5.9.3 ? ... OK (5.9.3)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
[ covered because of the company policy ]

Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Reply by email is disabled in config/gitlab.yml
Checking LDAP ...

Server: ldapmain
not verifying SSL hostname of LDAPS server '[ covered because of the company policy ]'
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
	[ covered because of the company policy ]
	
	Checking LDAP ... Finished

Checking GitLab ...

Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... no
  Try fixing it:
  sudo chown -R git /var/opt/gitlab/gitlab-rails/uploads
  sudo find /var/opt/gitlab/gitlab-rails/uploads -type f -exec chmod 0644 {} \;
  sudo find /var/opt/gitlab/gitlab-rails/uploads -type d -not -path /var/opt/gitlab/gitlab-rails/uploads -exec chmod 0700 {} \;
  For more information see:
  doc/install/installation.md in section "GitLab"
  Please fix the error above and rerun the checks.
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
[ covered because of the company policy ]


gitlab-rake gitlab:env:info

System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.3.5p376
Gem Version:    2.6.13
Bundler Version:1.13.7
Rake Version:   12.1.0
Redis Version:  3.2.5
Git Version:    2.13.6
Sidekiq Version:5.0.4
Go Version:     unknown

GitLab information
Version:        10.1.1
Revision:       cc27e5f
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            https://[ covered because of the company policy ]/gitlab
HTTP Clone URL: https://[ covered because of the company policy ]/some-group/some-project.git
SSH Clone URL:  git@[ covered because of the company policy ]some-project.git
Using LDAP:     yes
Using Omniauth: no

GitLab Shell
Version:        5.9.3
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
Hooks:          /opt/gitlab/embedded/service/gitlab-shell/hooks
Git:            /opt/gitlab/embedded/bin/git
4

Though the post is old, I hope this may be helpful to somebody.
We have been plagued by this issue for several weeks now and we couldn’t find the endpoint with the expired certificate until we remembered the integrated container registry we abandoned a long time ago. Our gitlab.rb still contained the configuration for the container registry including the expired certificate. Removing the configuration and deactivating the registry (or if required setting a new valid cert) should solve the issue.

1 Like
5

Hi @stephan.besser and welcome to the GitLab forum!

Thanks so much for sharing your answer here. Even if the post was old, this should be really helpful for anyone facing the same issue.