Webhook certificate check fails where SAN DNS Name entry


Using gitlab 8.11.6 CE. A web hook for a repo is set to talk to a jenkins server via https. The certificate presented by the jenkins server is rejected saying the hostname doesn’t match the server certificate name.

Looking at the server cert it contains the correct fqdn in the CN but also contains DNS Name = short name and IP address = a.b.c.d.

If I construct a web hook using the either the short name or an ip address the cert failure does not occur.

( In a much older install of gitlab (7.8) CE, the same webhook connection to the same jenkins server works without issue. I presume the cert checks in the current version are more rigorous. )

Is there any way to tell gitlab to ignore the SAN entries and only use the CN?



I found the reason for this myself so in case this helps anyone else…

There is no issue with gitlab. It is adhering to the published standard for verifying certificates. That standard says that if a Subject Alternate Name extension exists then check ONLY those entries against the host name, ignore the CN value in the Subject field.

So gitlab’s web hook was pointing to a FQDN URL for whose host had the FQDN in the Subject but only the short name in the SAN. So it didn’t match the examined entries in the SAN.

On a very old version of gitlab (7.8) this check did not seem to be eng=forced as the same config did not produce any error.

My solution was to re-issue the certificate on the host specified in the webhook URL so that the SAN entries were correct.



Is there any way to disable webhook certificate validity checks in Gitlab so that it’s possible to test if this is the issue?

Troubleshooting a broken webhook is not much fun.