Gitlab with SSL

Aiden · September 18, 2024, 6:18am

I am trying to set up a simple gitlab with SSL.

I have the following set up in a docker-compose.yaml file:

version: '3.6'
services:
  gitlab:
    image: 'gitlab/gitlab-ee:16.5.1-ee.0'
    restart: always
    hostname:  'gitlab.env-pri.com'
    container_name: gitlab
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.env-pri.com:8443'
        letsencrypt['enable'] = false
        nginx['enable'] = true
        nginx['redirect_http_to_https'] = true
        nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.env-pri.com.crt"
        nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.env-pri.com.key"
    ports:
      - '80:80'
      - '2224:22'
      - '8443:443'
    volumes:
      - '$GITLAB_HOME/config:/etc/gitlab'
      - '$GITLAB_HOME/logs:/var/log/gitlab'
      - '$GITLAB_HOME/data:/var/opt/gitlab'
      - '/home/user1/gitlab/certs:/etc/gitlab/ssl:ro'
    shm_size: '256m'
    networks:
      - gitlab
networks:
  gitlab:
    name: gitlab-network

The certs were created(the .crt file is the concatenation of the server.crt, intermediate and the root crt) and then verified by:

openssl verify -CAfile root.crt -untrusted intermediate.crt gitlab.env-pri.com.crt
openssl rsa -noout -modulus -in gitlab.env-pri.com.key | openssl md5
openssl x509 -noout -modulus -in gitlab.env-pri.com.crt | openssl md5

After running the yaml, I check using curl -kv gitlab.env-pri.com:8443

It fails.

I turn of the firewall and ran it again:

curl -kv https://gitlab.env-pri.com:8443
* Rebuilt URL to: https://gitlab.env-pri.com:8443/
*   Trying 10.200.13.53...
* TCP_NODELAY set
* Connected to gitlab.env-pri.com (*.*.*.*) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to gitlab.env-pri.com:8443
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to gitlab.env-pri.com:8443

OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to gitlab.env-pri.com:8443

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to gitlab.env-pri.com:8443

Has anyone come across this or does anyone know a fix?

NealWalter · September 18, 2024, 8:14am

Ensure that your certificate files are correctly formatted and accessible within the Docker container. The files should be in PEM format, and the paths specified in your docker-compose.yaml should point to the correct files.

You can verify that the files are readable by the GitLab container by running a shell in the container:

docker exec -it gitlab /bin/bash

Then, check if the files are present and readable:

ls -l /etc/gitlab/ssl/

Make sure that the certificate chain is correct. Your .crt file should contain the server certificate followed by the intermediate certificates (if any) and should not include the root certificate. You can check the certificate chain with:

openssl s_client -connect gitlab.env-pri.com:8443 -showcerts

Since you’re using GitLab’s built-in Nginx, verify that the Nginx settings are correct. You can check the Nginx configuration within the GitLab container:

gitlab-ctl nginx-validate

If there are any errors in the configuration, it will indicate them.

4. Firewall and Security Groups

Even though you’ve turned off the firewall, double-check that there are no other security groups or firewall rules that might be blocking traffic to port 8443. Ensure that the port is open and accessible from the client machine where you’re running curl.

You can run GitLab in debug mode to get more detailed logs. You can change the logging level in the GITLAB_OMNIBUS_CONFIG like this:

GITLAB_OMNIBUS_CONFIG: |
  external_url 'https://gitlab.env-pri.com:8443'
  letsencrypt['enable'] = false
  nginx['enable'] = true
  nginx['redirect_http_to_https'] = true
  nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.env-pri.com.crt"
  nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.env-pri.com.key"
  logging['log_level'] = "debug"

After updating the configuration, restart the GitLab service:

docker-compose down
docker-compose up -d

Use OpenSSL to test the SSL connection:

openssl s_client -connect gitlab.env-pri.com:8443

This will give you more insight into the SSL handshake process and might reveal specific errors or issues.

If the above steps don’t resolve the issue, check the GitLab logs for any relevant error messages:

docker logs gitlab

Make sure that you’re accessing the correct port. Your docker-compose.yaml maps port 8443 on the host to port 443 in the container. Ensure that your curl command uses port 8443.

Sometimes, browser-related caching or SSL state issues can cause problems. If you haven’t done so already, try accessing GitLab from a different browser or incognito mode.

If you continue to experience issues after following these steps, consider re-generating your SSL certificates or simplifying your configuration to isolate the problem. You might also check the GitLab community forums for similar issues.