[tech] gitlab.ucc's SSL certificate

Sun Feb 9 21:33:01 AWST 2020

Hi,

The Gitlab SSL certificate fails to validate from Git with the following 
error:

fatal: unable to access 'https://gitlab.ucc.asn.au/zanchey/foo/': server 
certificate verification failed. CAfile: 
/etc/ssl/certs/ca-certificates.crt CRLfile: none

This is because the server is not sending the full chain of certificates, 
as seen at 
https://www.ssllabs.com/ssltest/analyze.html?d=gitlab.ucc.asn.au

I suspect the nginx configuration needs to be pointed at fullchain.pem 
instead of cert.pem.

Can someone take a look?

Thanks,

[DAA]
zanchey@

On Thu, 19 Dec 2019, Coffee wrote:
> Gitlab should be fixed now.
> 
> I couldn't get Gitlabs built in letsencrypt support to work so I disabled it
> and setup certbot instead.
> 
> On 18/12/2019 6:16 pm, tec wrote:
> > 
> > Also seems like if one moves past the ssl expiery (typing |thisisunsafe| at
> > the page in chrome) there’s a now a 502 error :(
> > 
> > On Wednesday, December 18, 2019 18:07 AWST, “tec” tec at ucc.gu.uwa.edu.au
> > <http://mailto:[email protected]> wrote:
> > 
> > I’ve run |gitlab-ctl renew-le-certs|, got an error, |gitlab-ctl
> > reconfigure|, hit the same error
> > 
> > |letsencrypt_certificate[gitlab.ucc.asn.au] (letsencrypt::http_authorization
> > line 3) had an error: Acme::Client::Error::Unauthorized:
> > acme_certificate[staging]
> > (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb
> > line 20) had an error: Acme::Client::Error::Unauthorized: Account creation
> > on ACMEv1 is disabled. Please upgrade your ACME client to a version that
> > supports ACMEv2 / RFC 8555. See
> > https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for
> > details. |
> > 
> > I looked at https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614, set
> > |letsencrypt["enabled"] = false|, ran |gitlab-ctl reconfigure| sucessfully,
> > then enabled and re-ran. Same issue.
> > So, as a stop-gap type measure I’ve copied |fullchain.pem| from mooneye and
> > added |gitlab_rails['env'] = {"SSL_CERT_FILE" =>
> > "/env/gitlab/fullchain-2019-12-u.pem"}| to the |gitlab.rb| file.
> > |gitlab-ctl reconfigure| ran sucessfully from that, so I then ran
> > |gitlab-ctl upgrade| then |gitlab-ctl restart| (since the web server seemed
> > down).
> > 
> > Unfortunately on visiting |gitlab.ucc.asn.au| the old certificate still
> > seemed to be used, so I removed
> > |/opt/gitlab/embedded/nodes/gitlab.ucc.gu.uwa.edu.au.json|. Still didn’t
> > work so I moved |fullchain-2019-12-u.pem| to |/etc/gitlab/trusted-certs| and
> > deleted |/opt/gitlab/embedded/ssl/certs/cacert.pem|, then ran |gitlab-ctl
> > restart|.
> > 
> > The old cert is still being provided. No clue why.
> > 
> > On Monday, December 16, 2019 20:27 AWST, David Adam
> > zanchey at ucc.gu.uwa.edu.au <http://mailto:[email protected]> wrote:
> > 
> > > On Sun, 8 Dec 2019, David Adam wrote:
> > > 
> > > > Cert Spotter is warning me that the SSL certificate for
> > > gitlab.ucc.asn.au
> > > > expires next week. The Let's Encrypt machinery should have renewed it by
> > > > now. Is someone able to take a look?
> > > >
> > > > From memory, I converted all machines including Gitlab to the official
> > > > certbot client (instead of using acmetool), so `certbot certificates`
> > > > might be a good command to start with.
> > > >
> > > > See also https://wiki.ucc.asn.au/SSLCertificates for how things should
> > > be
> > > > set up.
> > > 
> > > This certificate has now expired.
> > > 
> > > [DAA]
> > > _______________________________________________
> > > List Archives: http://lists.ucc.asn.au/pipermail/tech
> > > 
> > > Unsubscribe here:
> > > https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/tec%40ucc.gu.uwa.edu.au
> > 
> > 
> > 
> > _______________________________________________
> > List Archives: http://lists.ucc.asn.au/pipermail/tech
> > 
> > Unsubscribe here:
> > https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/coffee%40ucc.asn.au
> 

Cheers,

David Adam
zanchey at ucc.gu.uwa.edu.au
Ask Me About Our SLA!