The documentation on this seems to be a tad confusing (maybe it isn’t and we are running into another issue).

We are currently running GitLab Enterprise Edition 12.5.0-ee. I have a new certificate signed by a common root CA. The cert chain looks like this …

Entrust G2 -> Entrust L1K -> gitlab.mycompany.com

According https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates the proper way to install this is to put 2 files into the /etc/gitlab/trusted-certs folder, 1 for “Entrust L1K” the other for “gitlab.mycompany.com”. After doing that and running “gitlab-ctl reconfigure” I will test this and get a failure be “curl: (60) Peer’s Certificate issuer is not recognized.”

Further testing using openssl s_client -showcerts -connect gitlab.mycompany.com:443 shows only 1 certificate being returned (gitlab.mycompany.com). It is my assumption that there should be 2, L1K and gitlab.aaalife.com .

What am I missing here?

Hi,

does the certificate file contain the complete bundle, i.e. providing the full chain? I’ve seen that problem with Komodo as CA. Highly likely you got a file called fullchain.pem too.

Cheers,
Michael

It seems the documentation is out of date, or someone changed a setting somewhere on our side.

We ended up putting the cert file in /etc/gitlab/ssl . The instructions state /etc/gitlab/trusted-certs .

As far as the cert file and the chain of certs…Yes you are correct in that all intermediate certs must be in the file. At one point we also had the root certificate in the file, but this caused an issue with the git command somewhere in our chain complaining about “self signed certificate”. We simply removed the root cert (Entrust G2) since it wasn’t necessary because this is a globally trusted certificate.