Self-hosted GitLab with Private CA

Hello,

Ultimately, I want to setup GitLab with a more official SSL Certificate using a private CA. This is part of a larger effort where we want to start doing proper certs across our network, hence the CA server. Most of our network is closed, including this GitLab server.

Some other info:

  • We’re on AWS Cloud using EC2 instances for both the CA server and GitLab server. Both on Ubuntu 24.
  • We are NOT looking for a workaround. We want to use the correct working solutions, using our CA.
  • I’m trying to use ED25519, sha389, since its supposedly the best encryption right now

After spending hours upon hours of fighting this and loads of research, I keep getting variations of the following:

  • Verify return code: 21 (unable to verify the first certificate)
  • Verify return code: 19 (self-signed certificate in certificate chain)

Instructions I followed from these sources:

General stuff I’ve done:

  • Create the CA server and install easy-rsa
  • On the GitLab Ubuntu server:
  • openssl genpkey -algorithm ED25519 > <DNS_NAME>.key
  • Created openssl-25519.cnf and set a bunch of variables
  • openssl req -new -out <DNS_NAME>.csr -key <DNS_NAME>.key -config openssl-25519.cnf
  • Copied the CSR to the CA
  • On the CA server, ran ./easyrsa import-req /path/to/<DNS_NAME>.csr <DNS_NAME>
  • Then ran: ./easyrsa sign-req server <DNS_NAME>
  • Grabbed the CA root cert and the generated gitlab domain cert and copied then to the gitlab server
  • Installed the CA root cert on my windows machine, in local users, trusted certs store
  • On the GitLab server, I put the CA root cert in /etc/ca-certificates, then ran sudo update-ca-certificates
  • Also copied the CA root cert to /etc/gitlab/trusted-certs
  • Copied the freshly signed gitlab cert to /ets/gitlab/ssl
  • Tried converting the gitlab cert to a bundle, adding the CA cert on the bottom, and it just went from one error to another error (the errors above)
  • Updated /etc/gitlab/gitlab.rb
  • letsencrypt[‘enable’] = false # This seems to make no difference so I commented it back out
  • nginx[‘ssl_ciphers’] = # Uncommented and added TLS_AES_256_GCM_SHA384
  • external_url ‘https://<DNS_NAME>’
  • There’s other various settings in gitlab.rb I’ve read around, like setting the path to the cert file and cert key. All of them make ZERO DIFFERENCE, so I ended up leaving them commented out. We prefer the cleanest minimal solution needed.
  • For each test, I ran “gitlab-ctl reconfigure; gitlab-ctl restart”
  • For faster debugging, I’ve been running: echo Q | openssl s_client -showcerts -verify 5 -connect <DOMAIN_NAME>:443

Any help is much appreciated! I imagine SOMEONE out there got a private CA with gitlab to work at some point!

Managed to get it working! Posting an update in case it helps anyone else.

The final trick was the algorithm I was using is simply not supported by GitLab. And that’s not documented anywhere; I just kinda guessed. The older RSA:2046 cipher is significantly more backwards compatible with ancient systems. My “openssl genpkey” command from above had to be changed to this:

  • openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 > <DNS_NAME>.key
  • Also, the root CA cert only has to be installed on the machine, not inside GitLab, to do this, put it in /usr/local/share/ca-certificates/<cert_name>.crt, then run sudo update-ca-certificates