I’ve searched the Reddit group and found very similar help given in the past (thank you, /u/KaelumForever for your post) that I haven’t been able to fully leverage to get my internal-subnet Gitlab-ee fully secured.
Sorry in advance if this is obvious - I am by no means an expert in Linux and/or Gitlab.
I’ve got a CentOS 7 standalone physical PC sitting on a 10.1.10.x subnet behind a Fortigate VPN running Gitlab-ee v14.7. Any use of this machine will be restricted to the 10.1.10.x subnet and access from outside the building will require authentication to the VPN. To me, that rules out the automatic LE SSL path.
So, instead, I’ve had a couple of different results. All methods have allowed connection via https:, but each with (different) warnings.
I first followed the suggested routes for installing non-LE certs, but keep ending up with “This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.”
Thinking maybe I could get a root CA in the chain, I tried this method:
but didn’t really do any better there.
I am a bit lost here, I’m afraid. I feel like I’m failing at a base level to understand SSL implementation and where exactly my problem lies. I’ve got no trouble generating the SSL certs via openssl, but getting their root trust conveyed to other machines on the subnet is eluding me. When inspecting my gitlab.x.x.x internal site’s site via the remote browser, I do see that only the base-level cert is reported, vs. the multi-step chain reported by, say, Google or my VPN or whatever other properly-secured site.
I’ve struggled for several days on this now and just know I’m overlooking something that one of you very smart people could correct in five minutes. I sincerely appreciate any help you could offer.
Thank you very much in advance.