Ubuntu gitlab-ee-omnibus ssl ldap certificate verify failed

Hi! I use latest Gitlab-ee_Omnibus verison (29.03.2020) Ubuntu 18.04
I want to start to use ldap. I enable it and that work well but not work ssl certificate verify.

###! remember to close this block with ‘EOS’ below
gitlab_rails[‘ldap_servers’] = YAML.load <<-‘EOS’
main: # ‘main’ is the GitLab ‘provider ID’ of this LDAP server
label: ‘LDAP’
host: ‘pdc01.sos.it.ee’
port: 636
uid: ‘sAMAccountName’
bind_dn: ‘CN=ldap gitlab,CN=Users,DC=SOS,DC=IT,DC=EE’
password: ‘Pa$w0rd1234’
encryption: “simple_tls”
verify_certificates: false
active_directory: true
allow_username_or_email_login: true
lowercase_usernames: true
block_auto_created_users: false
base: ‘OU=Gitlab INT,DC=SOS,DC=IT,DC=EE’

user_filter: ‘’

## EE only

group_base: ‘OU=Global Groups,OU=Gitlab INT,DC=SOS,DC=IT,DC=EE’
admin_group: ‘Global Admins’

If I change verify_certificates: true I get error: ssl connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issue certificate)

I try resolv it so:
openssl s_client -connect pdc01.sos.it.ee:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem

sudo cp ad_ldap_server.pem /usr/share/ca-certificates/ad_ldap_server.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

But It  don't help.  :(

What is possible to resolve this problem?

I add in my Ubuntu 18.04 server CA store MS AD CA and LDAP ssl certificate and if I check
openssl s_client -connect pdc01.sos.it.ee:636
I get OK status. But If I enable verify_certificates: true I get error …(unable to get local issuer certificate)
I thinks Gitlab don’t take certificate from OS CA store. Where is information about it? How to resolve it?

Ok I resolv it. Need copy certificates in /etc/gitlab/trusted-certs

Other Certificate Authorities

Omnibus GitLab supports connections to external services with self-signed certificates.
Compatibility Note Custom certificates were introduced in GitLab 8.9.
Further Reading For installations that use self-signed certificates, Omnibus-GitLab provides a way to manage these certificates. For more technical details how this works, see the details at the bottom of this page.

Install Custom Public Certificates

Note: A perl interpreter is required for c_rehash dependency to properly symlink the certificates. Perl is currently not bundled in Omnibus GitLab.

  1. Generate the PEM or DER encoded public certificate from your private key certificate.
  2. Copy the public certificate file only into the /etc/gitlab/trusted-certs directory.
  3. Run gitlab-ctl reconfigure .

But I still don’t understand why Gitlab ignores OS local CA store. :frowning: