Server certificate verification failed CAfile: /etc/ssl/certs/ca-certificates.cr

Hi All

Running our own gitlab server and has been fine until Lets Encrypt changed at the end of September.

Trying to run a git push we receive the error server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I LE cert does not run out for 43 days and if I use the sslshopper website to check the certificate, this all come back fine and does not show any issues unlike our Zimbra boxes that do show an issue with the cert. I have tried to renew incase this resolved the issue trying gitlab-ctl reconfigure & gitlab-ctl renew-le-certs but nothing has changed.

Any advise here would be great, thanks

Hi,

Just out of interest, does the ca-certificates package on the machines you are trying to push from need updating? Also maybe check if it needs to be updated on the Gitlab server as well, since an update was released when the LE errors started due to CA cert expiry end September.

I have a similar error but attempting fetch/push with Atom Editor since the last version released was about June time, and also gives a similar certificate error, because it doesn’t know about the new LE CA cert, and only knows the old one has expired.

I did also try doing:

certbot renew --force-renewal

on my Gitlab server, thinking that might help but the same occurred. You can try force renewing, since the LE certs are valid for 3 months, mine was due to expire middle of December, which meant it was valid from mid September before the CA cert expired. To be honest, not entirely sure if the cert generated middle of September was on the old CA or the new one. But a force renewal wouldn’t hurt anyway. Mine now goes from mid October to mid January after force renewal.

Thanks.

I did try certbot renew --force-renewal on the git server but it just responded with -bash: certbot: command not found

I have removed the old CA on the git server. The machine doing the pushing has a valid paid for certificate and has the ISRG_Root_X1.pem in the /etc/ssl/certs folder

Ah, maybe yours is doing it differently since Gitlab also has a /opt/gitlab/embedded/service/omnibus-ctl/letsencrypt.rb file which does renewal inside of Gitlab. I set mine up separately, hence I have the certbot command. So you probably have something in your gitlab.rb like in the LE section here: SSL Configuration | GitLab

Therefore:

gitlab-ctl renew-le-certs

not sure if there is an option to force renewal with this command, but I’ll update my post if I find it.

EDIT: here should help: SSL Configuration | GitLab

To force it sooner, run the following

rm /etc/gitlab/ssl/HOSTNAME*
gitlab-ctl reconfigure

so you can try that if the renew-le-certs doesn’t want to do it.

Thanks.

Did a force update and the cert in sslshopper still shows correct and at 89 days to renewal. Still getting the same error from the client debian box.

Have run the following to make sure it’s up to date but still the same error
update-ca-certificates
apt-cache policy ca-certificates

Thanks

You CA-Certs seem to be outdated. If possible update the package or your distro.

If this is not possible save the LE X1 CA certifacte with a .crt extension to
“/usr/local/share/ca-certificates” an run update-ca-certificates as root.

More info:
https://manpages.debian.org/jessie/ca-certificates/update-ca-certificates.8.en.html