The documentation on this seems to be a tad confusing (maybe it isn’t and we are running into another issue).
We are currently running GitLab Enterprise Edition 12.5.0-ee. I have a new certificate signed by a common root CA. The cert chain looks like this …
Entrust G2 -> Entrust L1K -> gitlab.mycompany.com
According https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates the proper way to install this is to put 2 files into the /etc/gitlab/trusted-certs folder, 1 for “Entrust L1K” the other for “gitlab.mycompany.com”. After doing that and running “gitlab-ctl reconfigure” I will test this and get a failure be “curl: (60) Peer’s Certificate issuer is not recognized.”
Further testing using openssl s_client -showcerts -connect gitlab.mycompany.com:443 shows only 1 certificate being returned (gitlab.mycompany.com). It is my assumption that there should be 2, L1K and gitlab.aaalife.com .
What am I missing here?