Trouble configuring gitlab pages with TLS

Having trouble to get gitlab pages to work over https with custom domains I followed instructions at

The option without TLS works, but when using https I get SSL_ERROR_INTERNAL_ERROR_ALERT error in Firefox and ERR_SSL_PROTOCOL_ERROR in Chrome. When doing curl, I get following error:

~$ curl -v
* Rebuilt URL to:
* Hostname was NOT found in DNS cache
*   Trying XX.XX.XX.XX...
* Connected to (XX.XX.XX.XX) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Using gitlab 10.0 omnibus installation on CentOS. My config is:

pages_external_url ""
pages_nginx['enable'] = false
gitlab_pages['cert'] = "/etc/gitlab/ssl/"
gitlab_pages['cert_key'] = "/etc/gitlab/ssl/"
gitlab_pages['external_http'] = ['']
gitlab_pages['external_https'] = ['']

with being the virtual IP where the pages daemon is listening. contains the wildcard certificate for *

Any hints how to troubleshoot this?

The DNS wildcard A record points to the secondary IP where the pages daemon listens.

* 1800 IN A

The documentation is not very clear that this IP should be set when setting up pages with custom domains. Or something else is wrong because when I set it to the primary IP of the gitlab instance, nginx returns contents from gitlab instead of pages.

Have been fighting with TLS for a few days, realised my GitLab was running on an old debian8, upgraded to debian9. So now.

> python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 1.1.0f  25 May 2017

And suddenly, gitlab-pages can respond to https:// requests. Before this I just got the ‘tlsv1 alert internal error’ messages regardless of what I tried to do.

I’m sure the rest of the system also benefits from the upgrade.