SSL-Inspection -> Gitlab can't get online right, SSL-Certificate Error

Hello all,

i’am running here gitlab 16.7 on Ubuntu 22.04 LTS. Default Installation with Gitlab repository. SSL deep inspection via the firewall has now been introduced. The necessary ClientCA has been rolled out and also works for the operating system itself. But Gitlab seems to need this CA in another place.

Because when projects are pushed from Gitlab to Github, this does not work and it is cancelled with an SSL error (the certificate is not trusted).

Where in Gitlab would I have to configure such a client CA? Because the system store is not read.

Very thanks and best regards

So this is not possible?

If you have already copied the CA cert to /etc/ssl/certs and run update-ca-certificates, then your next step would possibly be to import the CA within Gitlab. When I just checked the /etc/gitlab/gitlab.rb config file, I found this:

##! Most root CA's are included by default
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"

Suggest configuring that line to use your internal CA from your firewall which is doing the SSL inspection. You also need to import that CA on all your machines that will be connecting to Gitlab, or any other SSL service that has the connection inspected.

The problem here is not Gitlab, but rather you are using a CA/certificate which is untrusted due to it being issued by your firewall for the deep inspection.

Very thanks for your answer.

Done. I must have missed the entries.

##! Most root CA's are included by default
nginx['ssl_client_certificate'] = "/usr/local/share/ca-certificates/fortinet-deepinspection-osit2.crt"
nginx['ssl_trusted_certificate'] = "/usr/local/share/ca-certificates/fortinet-deepinspection-osit2.crt"

After that:

gitlab-ctl reconfigure
gitlab-ctl hup nginx

But the same error. Perhaps this is not technically possible with Gitlab in the way I imagine.

That is correct. But that has never been a problem with a server. A purchased certificate is used for deep inspection from outside. This is then also installed on the firewall. However, this cannot be used for deep inspection from within. As you cannot generate such a certificate without the complete rootchain.

@iwalker You can access without errors, yes? SSL-Inspection is activ. And you haven’t installed my cert :wink:

Your Gitlab instance linked in your post works fine. So I’m guessing somehow you’ve managed to get it working.

From the outside, yes, but not from the inside. E.g. repository sync to github. There i get a certificate error. It’s not about access from the outside but that Gitlab itself can access the internet. Sorry if I didn’t explain that correctly.

3:get remote references: create git ls-remote: exit status 128, stderr: "fatal: unable to access 'https://github.com/boospy/KDE-Neon-Installer.git/': SSL certificate problem: unable to get local issuer certificate\n".

Wget, linyx, elinks, secure apt, everyting is working fine, but to the internetaccess from gitlab. Srange.

Yeah I’ve had the same situation at clients, and we did import the CA certificate to /etc/ssl/certs and ran update-ca-certificates. I cannot remember if we also added to .gitconfig in the user’s home directory:

[http]
	sslVerify = false

but you can try that and see what happens. That should at least allow git push to work but it means it ignores the certificate/CA. We had many more problems, because also we have an app that needs to install dependencies using composer, which would fail when certificates wouldn’t verify. And also with nodejs, cypress is forced to verify certs and cannot be overridden now.

SSL Inspection is definitely a pain when the certs aren’t trusted.

1 Like

You are soooooo right. :slight_smile: