Using a Self Signed Certificate

Hi there!

So I’m trying to set up GitLab with HTTPS on my server. Sounds simple right?

Well…

I’m kind of using a self signed certificate. And not necessarily just a self signed certificate either. I have a root certificate installed on my system (running Ubuntu 15.04, both in the /etc/ssl/certs folder and in the ca-certificates.crt file in /etc/ssl/certs. I have an intermediate certificate and a server certificate that I’m using for HTTPS on my server. However, I can’t seem to get OAUTH to work from GitLab CI. After I press authorize from my GitLab account on my server, I get a 500 error that says “We’re sorry, something went wrong.” In the logs, I get this error:

Faraday::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
app/controllers/user_sessions_controller.rb:18:in `callback’

I can’t seem to figure out what is causing this issue. I’m running a certificate chain for the webserver, I get an A on the Qualys SSLLabs Test, the SSL Doctor Ruby application that I’ve been seeing in my search for a solution finds no problems with my certificate chain. At this point, I’m completely clueless as to what may be causing this error. Can anybody help me sort this out?

1 Like

Have you set up gitlab-shell for a self-signed certificate?

I have, but it’s more of an issue with GitLab-CI than GitLab Shell. Based on what I’ve read, right now there isn’t direct support for self signed root certificates. How can I manually add root certificates to GitLab? The way it appears, GitLab doesn’t read from the system stores.

try this

installing packages

root@server:~# apt-get install openssl ca-certificates
root@server:~# mkdir certs
root@server:~# cd certs
root@server:~/certs#

generating a private key

root@server:~/certs# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
...........................................+++
e is 65537 (0x10001)
root@server:~/certs#

generate a Certificate Signing Request

root@server:~/certs# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: CU 
State or Province Name (full name) [Some-State]:Cuba
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Home Lan
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.edu.cu
Email Address []:
 
Please enter the following `extra` attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

create a Self-Signed Certificate

root@server:~/certs# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CU/ST=Cuba/O=Home Lan/CN=*.edu.cu
Getting Private key
Enter pass phrase for server.key:
root@server:~/certs#

install a private key and Self-Signed Certificate

root@server:~/certs# cp server.key /etc/ssl/private/
root@server:~/certs# cp server.crt /etc/ssl/certs/

these files you must copy it to the directory /etc/gitlab/ssl/ with the name of your host; for example, if my gitlab is hosted in gitlab.edu.cu would be like this: /etc/gitlab/ssl/gitlab.edu.cu.key and /etc/gitlab/ssl/gitlab.edu.cu.crt

References
enable HTTPS on GitLab
Self-signed SSL certificates