Certificate issue when preparing Postgre upgrade

Summary

Hi!

I'm trying to upgrade from 8.11.0 to 9.2.8

However, I am encountering an issue during the Postgre upgrade preparation script (following https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/doc/installation/database_upgrade.md?ref_type=heads)

When runnning the following command from a server with Kubectl access to my cluster, I get an error:

curl -s "https://gitlab.com/gitlab-org/charts/gitlab/-/raw/v9.2.8/scripts/database-upgrade" | bash -s -- -n gitlab pre
Retrying failed request: /database_upgrade_8_gitlab_backup.tar ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1147))

This error repeats a few times, before the script stops entirely

Do note that I added the certificate to the server system store (though my understanding is it should not be required as the script runs from the toolbox pod)

I also confirmed that the toolbox pod can not curl Minio, with a certificate error as well

However, the service itself does serve the right certificate with the following command

echo | openssl s_client -showcerts -servername minio.my.domain.com -connect minio.my.domain.com:443 2>/dev/null | openssl x509 -inform pem -noout -tex

I tried to add my certificate in the values, with seemingly no success

Steps to reproduce

N/A

Configuration used

Values:

# https://docs.gitlab.com/charts/charts/globals/
global:
  # What domain all our services will be under
  hosts:
    domain: my.domain.com
  # https://docs.gitlab.com/charts/charts/globals/#custom-certificate-authorities
  certificates:
    - customCAs: my-ca-bundle
  # Ingress-related settings for all services
  # Although we disable the ingresses by default here, still specifying some settings allows us to avoid some repetition
  ingress:
    # Disable ingress by default ; enable it in a case-by-case basis
    enabled: false
    # GitLab has this default to "gitlab-nginx", but we bring our own ingress controller
    class: "nginx"
    # Bring our own cert-manager
    configureCertmanager: false
    tls:
      enabled: true
    annotations:
      nginx.ingress.kubernetes.io/rewrite-target: /
      cert-manager.io/cluster-issuer: my-issuer

# Since we enable TLS for all services, and no wildcard certificate, we need to provide an explicit, separate secret
# name for all of them
gitlab:
  webservice:
    ingress:
      enabled: true
      tls:
        secretName: gitlab-tls-secret

minio:
  ingress:
    enabled: true
    tls:
      secretName: minio-tls-secret

# Bring our own cert-manager
# > 9.0.0
installCertmanager: false
# < 9.0.0
certmanager:
  install: false
# Bring our own ingress controller
nginx-ingress:
  enabled: false

Secret:

---
apiVersion: v1
kind: Secret
metadata:
  name: "my-ca-bundle"
  namespace: "gitlab"
data:
  gitlab.my.domain.com.crt: <B64_BUNDLE>
  minio.my.domain.com.crt: <B64_BUNDLE>

Current behavior

A certificate (which I assume to be minio's, but could be wrong about as it is not specified explicitely in the logs) can not be verified from the toolbox pod when running the database upgrade preparation script

Expected behavior

The certificate should be recognized and the script execute correctly

Versions

  • Chart: v8.11.0
  • Platform:
    • Cloud: AKS
  • Kubernetes: (kubectl version)
    • Client: 1.31.0
    • Server: 1.32.7
  • Helm: (helm version)
    • Client: 3.18.3
    • Server: N/A

Relevant logs

Trying to run the command from my server

➜  ~ curl -s "https://gitlab.com/gitlab-org/charts/gitlab/-/raw/v9.2.8/scripts/database-upgrade" | bash -s -- -n gitlab pre
Unable to use a TTY - input is not a terminal or the right kind of file
2025-11-06 09:59:12 UTC -- Dumping database ...
2025-11-06 09:59:12 UTC -- Dumping PostgreSQL database gitlabhq_production ...
2025-11-06 09:59:17 UTC -- [DONE]
2025-11-06 09:59:17 UTC -- Dumping database ... done
2025-11-06 09:59:17 UTC -- Deleting backup and restore PID file at [/srv/gitlab/tmp/backup_restore.pid] ... done
Packing up backup tar
WARNING: Retrying failed request: /database_upgrade_8_gitlab_backup.tar ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1147))
WARNING: Waiting 3 sec...
WARNING: Retrying failed request: /database_upgrade_8_gitlab_backup.tar ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1147))
WARNING: Waiting 6 sec...                                                                                                                                                 WARNING: Retrying failed request: /database_upgrade_8_gitlab_backup.tar ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1147))
WARNING: Waiting 9 sec...
WARNING: Retrying failed request: /database_upgrade_8_gitlab_backup.tar ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1147))
WARNING: Waiting 12 sec...
WARNING: Retrying failed request: /database_upgrade_8_gitlab_backup.tar ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1147))
WARNING: Waiting 15 sec...
ERROR: Upload of '/srv/gitlab/tmp/backup_tars/database_upgrade_8_gitlab_backup.tar' failed too many times (Last reason: Upload failed for: /database_upgrade_8_gitlab_backup.tar)
command terminated with exit code 2
Edited by Clovis Dugué