Why is our internal CA not accepted?


We use an internal CA based on Step-ce in our company network. I have set up the latest Gitlab on an Ubuntu VM and added the root certificate to the trust store as usual.
After that I created a certificate with Certbot:
certbot certonly --standalone -d gitlab.company.local --server https://teweb.company.local:4443/acme/trenz.local/directory
Then I created a chain:
cat gitlab.company.local.crt root_ca.crt > chain.crt
And edited gitlab.rb: nginx[‘ssl_certificate’] = “/etc/gitlab/ssl/chain.crt”
In the browser the certificate hierarchy is recognized, but the CA is not trusted. Why not?


It would suggest that the machine where you are running the browser doesn’t have the CA imported either within the browser itself, or system-wide, or the browser cannot find where the CA has been imported into the trust store.

Firefox, could import a CA into it’s own configuration, with Chrome/Brave, etc, at least for me on Linux, it works fine when imported under /etc/pki/ca-trust. Prior to this I would have had similar situation as yourself. Check/verify the CA certificate has been imported to the correct location on the system where the problem is with the browser.


We use the CA on Windows Clients with Apache2 based servers with no problems. The CA is distributed via GPO.