[SOLVED] Gitlab self managed connection to Minio with self signed certificate

Replace this template with your information

Describe your question in as much detail as possible:
We are setting up a self managed Gitlab instance for the first time.
We already have a Minio S3 compatible storage in our datacenter which we would like to use for Gitlab backups and maybe later object storage. This Minio instance has a self signed certificate. And this seems to be the root of our issue.

In the gitlab.rb we’ve configured the connection to Minio.

But when we run “gitlab-backup create” at the end it will show an error that it is unable to verify the certificate.

What are you seeing, and how does it differ from what you expect to see?

Excon::Error::Certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate signature failure) (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon. Excon has certificates bundled, but these can be customized:
`Excon.defaults[:ssl_ca_path] = path_to_certs`
`ENV['SSL_CERT_DIR'] = path_to_certs`
`Excon.defaults[:ssl_ca_file] = path_to_file`
`ENV['SSL_CERT_FILE'] = path_to_file`
`Excon.defaults[:ssl_verify_callback] = callback`
                (see OpenSSL::SSL::SSLContext#verify_callback)
`Excon.defaults[:ssl_verify_peer] = false` (less secure).
/opt/gitlab/embedded/service/gitlab-rails/lib/backup/manager.rb:310:in `upload'
/opt/gitlab/embedded/service/gitlab-rails/lib/backup/manager.rb:63:in `create'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/backup.rake:12:in `block (3 levels) in <top (required)>'
/opt/gitlab/embedded/bin/bundle:23:in `load'
/opt/gitlab/embedded/bin/bundle:23:in `<main>'

Would expect the backup to be copied to the Minio bucket.

Also, no idea where the environment settings mentioned in the error should be set. They are not present in gitlab.rb.

What version are you on (Hint: /help) ? and are you using self-managed or The One DevOps Platform | GitLab
Gitlab self managed 15.0.2

What troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?*
We’ve put the CA and the intermediate and issuer CA’s in /etc/pki/ca-trust/source/anchors/ and then run update-ca-trust.

We’ve put the CA’s in /etc/gitlab/trusted-certs and ran gitlab-ctl reconfigure like mentioned in: SSL Configuration | GitLab

None of the steps solved anything.

Issue seems resolved. The issue was not so much Gitlab config but our Minio had a some inconsistency with it’s certificate. In our case the chain used in Minio was not correct. How this managed to translate in errors in Gitlab is not clear to me. Other applications that were using Minio did not seem to bother.

Renew the certificate and added the correct chain in Minio solved it for us.

Putting the self signed root CA in /etc/pki/ca-trust/source/anchors/ and then run update-ca-trust seems to be enough to trust the CA generally.