Unable to import Bitbucket repo: server certificate verification failed

Hello,

I have installed Gitlab 11.8.1-ee (39d0b2ef) with Helm Chart on a kubernetes cluster.

I want to import some Bitbucket repositories. My Bitbucket server is installed on premises in my data center, with a SSL certificate signed by my own certificate authority.

As stated in https://docs.gitlab.com/charts/charts/globals.html#custom-certificate-authorities, I have configured Gitlab to use my CA’s certificates. When I browse inside Gitlab containers, I can see my custom CA certificates in /etc/ssl/certs directory, as expected. (I have 2 certificates: one for the root CA, and another for an intermediate CA that have signed my Bitbucket certificate).

When I try to import the Bitbucket repo, I managed to get the list of repositories from by Bitbucket server. I select one repo I want to import, and click on the Import button. The import is marked as started in the GUI, a new (empty) Gitlab project has been created, but in the sidekiq container logs, I can see the following error:

2019-03-08T07:28:13.694Z 12 TID-gn24q0rfk Geo::SidekiqCronConfigWorker
JID-2142d82aa1c66be46165142c INFO: start
2019-03-08T07:28:13.829Z 12 TID-gn24q8b38 UpdateAllMirrorsWorker     JID-745623372a887d7da0d34da8 INFO: start
2019-03-08T07:28:13.853Z 12 TID-gn24q8b38 UpdateAllMirrorsWorker JID-745623372a887d7da0d34da8 INFO: done: 0.024 sec
2019-03-08T07:28:13.855Z 12 TID-gn24q0rfk Geo::SidekiqCronConfigWorker JID-2142d82aa1c66be46165142c INFO: done: 0.16 sec
2019-03-08T07:28:35.889Z 12 TID-gn24q29hw AuthorizedProjectsWorker JID-5454957139c4c0b985afba19 INFO: start
2019-03-08T07:28:35.903Z 12 TID-gn24q8z68 ClusterProjectConfigureWorker JID-f6350d5e9cfc8279de7791f4 INFO: start
2019-03-08T07:28:35.911Z 12 TID-gn24q8z68 ClusterProjectConfigureWorker JID-f6350d5e9cfc8279de7791f4 INFO: done: 0.007 sec
2019-03-08T07:28:35.924Z 12 TID-osgtl4lgs RepositoryImportWorker JID-ec5c391600df86de3e21b7ca INFO: start
2019-03-08T07:28:36.001Z 12 TID-gn24q29hw AuthorizedProjectsWorker JID-5454957139c4c0b985afba19 INFO: done: 0.112 sec
2019-03-08T07:28:36.043Z 12 TID-osgtl4lgs RepositoryImportWorker JID-ec5c391600df86de3e21b7ca INFO: fail: 0.12 sec
2019-03-08T07:28:36.043Z 12 TID-osgtl4lgs WARN: {"context":"Job raised exception","job":{"class":"RepositoryImportWorker","args":[7],"retry":5,"queue":"repository_import","backtrace":5,"status_expiration":54000,"jid":"ec5c391600df86de3e21b7ca","created_at":1552030115.923013,"correlation_id":"6XGU560ckha","enqueued_at":1552030115.9233036},"jobstr":"{\"class\":\"RepositoryImportWorker\",\"args\":[7],\"retry\":5,\"queue\":\"repository_import\",\"backtrace\":5,\"status_expiration\":54000,\"jid\":\"ec5c391600df86de3e21b7ca\",\"created_at\":1552030115.923013,\"correlation_id\":\"6XGU560ckha\",\"enqueued_at\":1552030115.9233036}"}
2019-03-08T07:28:36.043Z 12 TID-osgtl4lgs WARN: RuntimeError: Error importing repository https://*****:*****@mybitbucketserver:8443/scm/test/toto.git into TEST/toto - 2:Fetching remote bitbucket_server failed: fatal: unable to access [FILTERED] server certificate verification failed. CAfile: [FILTERED] CRLfile: none

2019-03-08T07:28:36.043Z 12 TID-osgtl4lgs WARN: /srv/gitlab/app/workers/repository_import_worker.rb:26:in `perform'
/srv/gitlab/ee/app/workers/ee/repository_import_worker.rb:9:in `perform'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:185:in `execute_job'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:167:in `block (2 levels) in process'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:128:in `block in invoke'
/srv/gitlab/lib/gitlab/metrics/sidekiq_middleware.rb:15:in `block in call'
/srv/gitlab/lib/gitlab/metrics/transaction.rb:55:in `run'
/srv/gitlab/lib/gitlab/metrics/sidekiq_middleware.rb:15:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'
/srv/gitlab/lib/gitlab/sidekiq_status/server_middleware.rb:7:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'
/srv/gitlab/lib/gitlab/sidekiq_middleware/correlation_logger.rb:10:in `block in call'
/srv/gitlab/lib/gitlab/correlation_id.rb:15:in `use_id'
/srv/gitlab/lib/gitlab/sidekiq_middleware/correlation_logger.rb:9:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'
/srv/gitlab/lib/gitlab/sidekiq_middleware/batch_loader.rb:7:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'
/srv/gitlab/lib/gitlab/sidekiq_middleware/request_store_middleware.rb:8:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'
/srv/gitlab/lib/gitlab/sidekiq_middleware/shutdown.rb:54:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sentry-raven-2.7.4/lib/raven/integrations/sidekiq.rb:9:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/middleware/chain.rb:133:in `invoke'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:166:in `block in process'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:137:in `block (6 levels) in dispatch'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/job_retry.rb:108:in `local'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:136:in `block (5 levels) in dispatch'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/rails.rb:43:in `block in call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/activesupport-5.0.7.1/lib/active_support/execution_wrapper.rb:85:in `wrap'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/activesupport-5.0.7.1/lib/active_support/reloader.rb:68:in `block in wrap'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/activesupport-5.0.7.1/lib/active_support/execution_wrapper.rb:85:in `wrap'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/activesupport-5.0.7.1/lib/active_support/reloader.rb:67:in `wrap'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/rails.rb:42:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:132:in `block (4 levels) in dispatch'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:243:in `stats'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:127:in `block (3 levels) in dispatch'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/job_logger.rb:8:in `call'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:126:in `block (2 levels) in dispatch'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/job_retry.rb:73:in `global'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:125:in `block in dispatch'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/logging.rb:48:in `with_context'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/logging.rb:42:in `with_job_hash_context'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:124:in `dispatch'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:165:in `process'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:83:in `process_one'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/processor.rb:71:in `run'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/util.rb:16:in `watchdog'
/srv/gitlab/vendor/bundle/ruby/2.5.0/gems/sidekiq-5.2.5/lib/sidekiq/util.rb:25:in `block in safe_thread'

It seems my custom CA certificates are not taken into account.

After a few minutes, the import is marked as failed in the GUI.

Do you have any ideas about how to solve this issue?

Thank you in advance!