Gitlab certificate issues

pate1337 · July 29, 2020, 11:46pm

Hi everyone,

I’ve just deployed Gitlab from the Univention App Center.
In general I’m using letsencrypt wildcard certificates for apache2, postfix and dovecot. Please see my guide here, if you are interested: Letsencrypt app - wildcards supported?
However, I could not figure out how to use these in Gitlab.

I used docker inspect -f '{{ .Mounts }}' gitlab-containerid to check the volumes mounted to the gitlab container:

[
{bind  /var/lib/univention-appcenter/apps/gitlab/conf /var/lib/univention-appcenter/apps/gitlab/conf   true rprivate}
{bind  /var/lib/univention-appcenter/apps/gitlab/data /var/lib/univention-appcenter/apps/gitlab/data   true rprivate}
{bind  /var/lib/univention-appcenter/apps/gitlab/logs /var/log/gitlab   true rprivate}
{bind  /var/lib/univention-appcenter/apps/gitlab/data /var/opt/gitlab   true rprivate}
{bind  /etc/apt/apt.conf.d/80proxy /etc/apt/apt.conf.d/81proxy  ro false rprivate}
{bind  /var/lib/univention-appcenter/apps/gitlab/conf /etc/gitlab   true rprivate}
{bind  /sys/fs/cgroup /sys/fs/cgroup  ro false rprivate}
]

Checking /var/lib/univention-appcenter/apps/gitlab/conf, I can see there is a folder called trusted-certs, which is referenced here: https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates

However, the private key does not seem to be used, which confuses me even more, so I did not follow this guide.

The gitconfig of my client is quite simple, basically I’m using the certificate store of Windows (not domain joined):

[diff "astextplain"]
	textconv = astextplain
[filter "lfs"]
	clean = git-lfs clean -- %f
	smudge = git-lfs smudge -- %f
	process = git-lfs filter-process
	required = true
[http]
	sslBackend = schannel
[core]
	autocrlf = true
	fscache = true
	symlinks = false
	editor = \"C:\\\\Program Files\\\\Notepad++\\\\notepad++.exe\" -multiInst -notabbar -nosession -noPlugin
[pull]
	rebase = false
[credential]
	helper = manager

When I try to clone a repo via HTTPS, I get the following error:

git clone https://host.domain.com:22222/gitlab/groupabc/backend.git
Cloning into 'backend'...
fatal: unable to access 'https://host.domain.com:22222/gitlab/groupabc/backend.git/': schannel: failed to receive handshake, SSL/TLS connection failed

I’d highly appreciate if there’s a gitlab-pro around able to help.

Best regards
pate1337

pate1337 · August 3, 2020, 7:45am

The solution was quite easy:
removed
:22222
from
external_url 'https://host.domain.com:22222/gitlab'
in file
/var/lib/univention-appcenter/apps/gitlab/conf/gitlab.rb

Next I instructed gitlab to re-parse the config:
docker exec -it **CONTAINER_NAME** /bin/bash

Here you run the following two commands to commit the config:

gitlab-ctl reconfigure
gitlab-ctl restart

Furthermore, Visual Studio 2019 did not use the windows certificate store, so it could not check the letsencryptcertificate.
So to change that, I just ran the following command in a git bash:

git config --global http.sslBackend schannel

That’s it! Don’t know, why you do not configure it like this by default… Maybe a bug?

Best regards
pate1337