Clarification and potential SSL Certificate store bug with gitaly check
Customer ran into an issue where the Gitaly Check command was failing to successfully verify the the certificate chain for the Internal API.
/opt/gitlab/embedded/bin/gitaly check /var/opt/gitlab/gitaly/config.toml
Checking GitLab API access: ERRO[0000] Internal API unreachable duration_ms=10ns error="Get \"https://gitlab/api/v4/internal/check\"
tls: failed to verify certificate: x509: certificate signed by unknown authority" method=GET pid=117349 url="https://gitlab/api/v4/internal/check"This was ultimately resolved by adding the CA certificates to the system store. But per our documentation it looks like this should be using our trusted certs path (/etc/gitlab/trusted-certs/).
https://docs.gitlab.com/ee/administration/gitaly/tls_support.html#configure-gitaly-with-tls
We were able to successfully run the openssl commands from our troubleshooting ssl commands against the trusted-certs but the check was still reporting the same issues.
I suspect either the check is only using the system store, or we need some clarification in our docs where the certs are expected to be.