Hello,
Ultimately, I want to setup GitLab with a more official SSL Certificate using a private CA. This is part of a larger effort where we want to start doing proper certs across our network, hence the CA server. Most of our network is closed, including this GitLab server.
Some other info:
- We’re on AWS Cloud using EC2 instances for both the CA server and GitLab server. Both on Ubuntu 24.
- We are NOT looking for a workaround. We want to use the correct working solutions, using our CA.
- I’m trying to use ED25519, sha389, since its supposedly the best encryption right now
After spending hours upon hours of fighting this and loads of research, I keep getting variations of the following:
- Verify return code: 21 (unable to verify the first certificate)
- Verify return code: 19 (self-signed certificate in certificate chain)
Instructions I followed from these sources:
General stuff I’ve done:
- Create the CA server and install easy-rsa
- On the GitLab Ubuntu server:
- openssl genpkey -algorithm ED25519 > <DNS_NAME>.key
- Created openssl-25519.cnf and set a bunch of variables
- openssl req -new -out <DNS_NAME>.csr -key <DNS_NAME>.key -config openssl-25519.cnf
- Copied the CSR to the CA
- On the CA server, ran ./easyrsa import-req /path/to/<DNS_NAME>.csr <DNS_NAME>
- Then ran: ./easyrsa sign-req server <DNS_NAME>
- Grabbed the CA root cert and the generated gitlab domain cert and copied then to the gitlab server
- Installed the CA root cert on my windows machine, in local users, trusted certs store
- On the GitLab server, I put the CA root cert in /etc/ca-certificates, then ran sudo update-ca-certificates
- Also copied the CA root cert to /etc/gitlab/trusted-certs
- Copied the freshly signed gitlab cert to /ets/gitlab/ssl
- Tried converting the gitlab cert to a bundle, adding the CA cert on the bottom, and it just went from one error to another error (the errors above)
- Updated /etc/gitlab/gitlab.rb
- letsencrypt[‘enable’] = false # This seems to make no difference so I commented it back out
- nginx[‘ssl_ciphers’] = # Uncommented and added TLS_AES_256_GCM_SHA384
- external_url ‘https://<DNS_NAME>’
- There’s other various settings in gitlab.rb I’ve read around, like setting the path to the cert file and cert key. All of them make ZERO DIFFERENCE, so I ended up leaving them commented out. We prefer the cleanest minimal solution needed.
- For each test, I ran “gitlab-ctl reconfigure; gitlab-ctl restart”
- For faster debugging, I’ve been running: echo Q | openssl s_client -showcerts -verify 5 -connect <DOMAIN_NAME>:443
Any help is much appreciated! I imagine SOMEONE out there got a private CA with gitlab to work at some point!