SSL Certificate Problem when cloning, even though site itself appears fine

We have a Gitlab instance hosted on one of our own servers, we are using the bundled NGINX webserver, have set up ssl, and can currently visit the website and all seems to be okay (browsers recognize the site as secure, we can log in/create repos/etc).

However, when I try to clone a repo to my machine, I get the dreaded
SSL certificate problem: unable to get local issuer certificate

In the gitlab.rb file we have configured the following, where <ourdomain> is replaced by our domain. These files exist where the configuration is pointing to and are valid/matching (they work on our other sites and even Gitlab in the browser seems to think they are fine).

nginx['ssl_client_certificate'] = "/etc/gitlab/trusted-certs/DigiCertCA.crt"
...
nginx['ssl_certificate'] = "/etc/gitlab/ssl/<ourdomain>.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/<ourdomain>.key"

Is there some additional configuration before we are allowed to clone and work in this server? Many other places online say to turn off ssl verification, but we don’t want to do that. Most of the people working in our repositories have also only ever used git through https and haven’t ever had to deal with generating SSH keys, so I would like if it could continue to work this way.

I’ll also note, after reading a post on StackExchange, I tried using this ssl checker, which reported the following, even though visiting the site from a browser does not complain about any insecurities.

No SSL certificates were found on delta.k20center.ou.edu. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server’s firewall.

Hi,

I expect it’s a configuration issue. The ssl_client_certificate option I don’t use. You only need the other two, but what you have to do is combine your SSL certificate with the intermediate certificates. Similar to how you do it with nginx normally. The ordering you can usually find out from the place you bought it from, but normally it is the certificate first, then the CA chain. This is what should be in /etc/gitlab/ssl/ourdomain.crt. Then reconfigure and all should be fine.

I’m wondering if you just have only the certificate in ourdomain.crt and are attempting to use the CA chain in DigitCertCA.crt instead of combining it. That is probably why it’s not working properly.

Ian, thank you!

What threw me off was the .crt extension in all the documentation and examples I saw. I’m used to a certificate having a .pem extension when they are bundled like that. I’m sure the extension doesn’t really matter all that much when it’s processed, but I did think it was strange that this was the one NGINX server I was hosting that wasn’t using our bundled certificate.

Aside to anyone having the same issue: I’ve noticed a lot of posts saying to be careful about the line returns in between these two certificates within the same file, but if your certificate is from DigiCert (and I wouldn’t be surprised if other authorities offered this too), you can download your certificates in a prebundled form, either by specifying that it is an NGINX webserver or that you want a .pem file.

The crt file is a pem formatted file. It’s just the name given to the file for Gitlab to utilise it. Generally with Linux you will always be downloading certs in PEM format.

If they offer the certificate download for Nginx, I expect maybe they automatically combine the files. You generally have to make sure that the lines above below the certificate are included, the BEGIN and END lines. So when combining files yourself:

-----BEGIN CERTIFICATE-----
certificate data here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
certificate data here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
certificate data here
-----END CERTIFICATE-----

for example. If the file doesn’t have a line-feed, like I have encountered, when you then attempt to do something like this:

cat cert.pem root_ca.pem intermediate.pem > mycert.crt

you have to double-check the mycert.crt to make sure that it is like above, as I have had something like this:

-----BEGIN CERTIFICATE-----
certificate data here
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
certificate data here
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
certificate data here
-----END CERTIFICATE-----

and that wouldn’t work. So you need to separate the begin and end likes. Or, like I do mostly now, is just copy and paste everything into a new file to make sure it is correctly formatted.