Problem to solve
I’m currently deploying Gitlab and Gitlab Pages as separate instances, sitting inside a zero trust network.
When these join the zero trust network, they are assigned hostnames (gitlab.example.ztna and pages.example.ztna). To implement HTTPS, I have also created certificates using a Private CA and have been successfully using them to access my Gitlab frontend, create projects, repositories, ect.
The issue is when I try to access my Gitlab Pages deployed site, which gives a 502 error. When looking at the logs at the time of accessing, gitlab-ctl tail gitlab-pages
yields these logs:
{"correlation_id":"01HX7YVFND915CKXHM2H017T2V","error":"Get \"https://gitlab.example.ztna/api/v4/internal/pages?host=root.pages.example.ztna\": tls: failed to verify certificate: x509: certificate is valid for pages.example.ztna, not gitlab.example.ztna","host":"root.pages.example.ztna","level":"error","msg":"could not fetch domain information from a source","path":"/testrepository","time":"2024-05-06T22:02:15Z"}
{"content_type":"text/html; charset=utf-8","correlation_id":"01HX7YVFND915CKXHM2H017T2V","duration_ms":3022,"host":"root.pages.example.ztna","level":"info","method":"GET","msg":"access","pages_https":true,"proto":"HTTP/1.1","referrer":"","remote_addr":"100.112.190.205","remote_ip":"100.112.190.205","status":502,"system":"http","time":"2024-05-06T22:02:15Z","ttfb_ms":3021,"uri":"/testrepository","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","written_bytes":2905}
If I try to access https://gitlab.example.ztna from my workstation, it works correctly, and the certificate subject is matching. The issue is that when gitlab.example.ztna
and pages.example.ztna
attempt to talk to each other over API calls (ie. When Pages tries to return the artifact location from the Gitlab instance), there is some strange Subject mismatch in the certificates. This happens both ways between gitlab.example.ztna
and pages.example.ztna
when each machine tries to communicate to each other over the application.
Configuration
Main gitlab.rb:
external_url ‘https://gitlab.example.ztna’
git_data_dirs({
“default” => { “path” => “/mnt/nfs/gitlab” }
})
gitlab_rails[‘pages_path’] = “/mnt/nfs/gitlab/pages”
gitlab_rails[‘artifacts_path’] = “/mnt/nfs/gitlab/artifacts”
pages_external_url “https://pages.example.ztna”
gitlab_pages[‘enable’] = false
gitlab_pages[“namespace_in_path”] = true
Pages gitlab.rb:
external_url ‘https://pages.example.ztna’
pages_external_url “https://pages.example.ztna”
gitlab_rails[‘pages_path’] = “/mnt/nfs/gitlab/pages”
gitlab_pages[‘gitlab_server’] = “https://gitlab.example.ztna”
roles [‘pages_role’]
gitlab_rails[‘pages_local_store_path’] = “/mnt/nfs/gitlab/pages”
gitlab_pages[“namespace_in_path”] = true
gitlab_pages[‘enable’] = true
postgresql[‘enable’] = false
redis[‘enable’] = false
prometheus[‘enable’] = false
unicorn[‘enable’] = false
sidekiq[‘enable’] = false
gitlab_workhorse[‘enable’] = false
gitaly[‘enable’] = false
alertmanager[‘enable’] = false
node_exporter[‘enable’] = false
All SSL certs/keys are stored in /etc/gitlab/ssl/