Trouble configuring gitlab pages with TLS

Having trouble to get gitlab pages to work over https with custom domains I followed instructions at https://docs.gitlab.com/ee/administration/pages/.

The option without TLS works, but when using https I get SSL_ERROR_INTERNAL_ERROR_ALERT error in Firefox and ERR_SSL_PROTOCOL_ERROR in Chrome. When doing curl, I get following error:

~$ curl -v https://user.pages.example.com
* Rebuilt URL to: https://user.pages.example.com/
* Hostname was NOT found in DNS cache
*   Trying XX.XX.XX.XX...
* Connected to user.pages.example.com (XX.XX.XX.XX) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Using gitlab 10.0 omnibus installation on CentOS. My config is:

pages_external_url "https://pages.example.com"
pages_nginx['enable'] = false
gitlab_pages['cert'] = "/etc/gitlab/ssl/pages.example.com.crt"
gitlab_pages['cert_key'] = "/etc/gitlab/ssl/pages.example.com.key"
gitlab_pages['external_http'] = ['1.1.1.2:80']
gitlab_pages['external_https'] = ['1.1.1.2:443']

with 1.1.1.2 being the virtual IP where the pages daemon is listening. pages.example.com.crt contains the wildcard certificate for *.pages.example.com.

Any hints how to troubleshoot this?

The DNS wildcard A record points to the secondary IP 1.1.1.2 where the pages daemon listens.

*.pages.example.com. 1800 IN A    1.1.1.2

The documentation is not very clear that this IP should be set when setting up pages with custom domains. Or something else is wrong because when I set it to the primary IP of the gitlab instance, nginx returns contents from gitlab instead of pages.

Have been fighting with TLS for a few days, realised my GitLab was running on an old debian8, upgraded to debian9. So now.

> python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 1.1.0f  25 May 2017

And suddenly, gitlab-pages can respond to https:// requests. Before this I just got the ‘tlsv1 alert internal error’ messages regardless of what I tried to do.

I’m sure the rest of the system also benefits from the upgrade.