Jira integration fails to verify valid SSL certificate
Summary
Adding Jira integration, with Jira available on HTTPS (SSL) returns Test failed. SSL_connect returned=1 errno=0 state=error: certificate verify failed despite the certificate being valid according to openssl s_client -connect <hostname>:443 executed on the Gitlab host.
Steps to reproduce
Add Jira integration to a project, with the Jira server at a HTTPS address, ie. https://jira.example.com - then press the "Test settings and save changes" button.
What is the current bug behavior?
Error message "Test failed. SSL_connect returned=1 errno=0 state=error: certificate verify failed"
What is the expected correct behavior?
No error message, successful SSL certificate verification
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 16.04 Current User: git Using RVM: no Ruby Version: 2.3.5p376 Gem Version: 2.6.13 Bundler Version:1.13.7 Rake Version: 12.1.0 Redis Version: 3.2.5 Git Version: 2.13.6 Sidekiq Version:5.0.4 Go Version: unknown
GitLab information Version: 10.1.2 Revision: af60a6c Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://gitlab.bublar.com HTTP Clone URL: https://gitlab.bublar.com/some-group/some-project.git SSH Clone URL: git@gitlab.bublar:some-group/some-project.git Using LDAP: yes Using Omniauth: no
GitLab Shell Version: 5.9.3 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab Shell ...
GitLab Shell version >= 5.9.3 ? ... OK (5.9.3) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 2/2 ... ok 2/4 ... ok 5/5 ... ok 4/6 ... ok 6/7 ... ok 3/8 ... ok 7/9 ... ok 3/10 ... ok 2/12 ... ok 5/13 ... ok 3/14 ... ok 4/15 ... ok 7/16 ... ok 6/17 ... ok 9/19 ... ok 10/20 ... ok 5/21 ... ok 14/22 ... ok 18/24 ... ok 2/26 ... ok 3/27 ... ok 17/28 ... ok 18/29 ... ok 19/30 ... ok 22/32 ... ok 16/33 ... ok 18/34 ... ok 24/35 ... ok 16/36 ... ok 15/38 ... ok 16/39 ... ok 2/40 ... ok 24/41 ... ok 17/42 ... ok 17/43 ... ok 15/44 ... ok 23/45 ... ok 13/46 ... ok 26/47 ... ok 16/48 ... ok 2/49 ... ok 10/50 ... ok 2/54 ... ok 2/56 ... ok 4/57 ... ok 2/58 ... ok 17/59 ... ok 17/61 ... ok 16/62 ... ok 3/63 ... ok 14/65 ... ok 16/66 ... ok 2/67 ... ok 16/68 ... ok 15/69 ... ok 16/70 ... ok 16/71 ... ok 15/72 ... ok 16/73 ... ok 2/75 ... ok 4/76 ... ok 2/77 ... ok 14/78 ... ok 3/79 ... ok 17/80 ... ok 16/81 ... ok 13/83 ... ok 24/84 ... ok 23/85 ... ok 3/86 ... ok 16/87 ... ok 16/88 ... ok 16/89 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml Checking LDAP ...
Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) DN: uid=admin,cn=users,cn=accounts,dc=ipa,dc=bublar uid: admin DN: uid=joinadmin,cn=users,cn=accounts,dc=ipa,dc=bublar uid: joinadmin DN: uid=emilf,cn=users,cn=accounts,dc=ipa,dc=bublar uid: emilf DN: uid=perg,cn=users,cn=accounts,dc=ipa,dc=bublar uid: perg DN: uid=andreask,cn=users,cn=accounts,dc=ipa,dc=bublar uid: andreask DN: uid=adrianoo,cn=users,cn=accounts,dc=ipa,dc=bublar uid: adrianoo DN: uid=axell,cn=users,cn=accounts,dc=ipa,dc=bublar uid: axell DN: uid=bjorng,cn=users,cn=accounts,dc=ipa,dc=bublar uid: bjorng DN: uid=isabelleg,cn=users,cn=accounts,dc=ipa,dc=bublar uid: isabelleg DN: uid=josefineb,cn=users,cn=accounts,dc=ipa,dc=bublar uid: josefineb DN: uid=kennethh,cn=users,cn=accounts,dc=ipa,dc=bublar uid: kennethh DN: uid=noorar,cn=users,cn=accounts,dc=ipa,dc=bublar uid: noorar DN: uid=rasmusb,cn=users,cn=accounts,dc=ipa,dc=bublar uid: rasmusb DN: uid=sarab,cn=users,cn=accounts,dc=ipa,dc=bublar uid: sarab DN: uid=pers,cn=users,cn=accounts,dc=ipa,dc=bublar uid: pers DN: uid=mattiass,cn=users,cn=accounts,dc=ipa,dc=bublar uid: mattiass DN: uid=magnusg,cn=users,cn=accounts,dc=ipa,dc=bublar uid: magnusg DN: uid=christopherw,cn=users,cn=accounts,dc=ipa,dc=bublar uid: christopherw DN: uid=johne,cn=users,cn=accounts,dc=ipa,dc=bublar uid: johne DN: uid=apan,cn=users,cn=accounts,dc=ipa,dc=bublar uid: apan DN: uid=christopherp,cn=users,cn=accounts,dc=ipa,dc=bublar uid: christopherp DN: uid=wictorh,cn=users,cn=accounts,dc=ipa,dc=bublar uid: wictorh DN: uid=gitlab,cn=users,cn=accounts,dc=ipa,dc=bublar uid: gitlab DN: uid=antonq,cn=users,cn=accounts,dc=ipa,dc=bublar uid: antonq DN: uid=filippan,cn=users,cn=accounts,dc=ipa,dc=bublar uid: filippan DN: uid=moal,cn=users,cn=accounts,dc=ipa,dc=bublar uid: moal DN: uid=kaos,cn=users,cn=accounts,dc=ipa,dc=bublar uid: kaos
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 2/2 ... yes 2/4 ... yes 5/5 ... yes 4/6 ... yes 6/7 ... yes 3/8 ... yes 7/9 ... yes 3/10 ... yes 2/12 ... yes 5/13 ... yes 3/14 ... yes 4/15 ... yes 7/16 ... yes 6/17 ... yes 9/19 ... yes 10/20 ... yes 5/21 ... yes 14/22 ... yes 18/24 ... yes 2/26 ... yes 3/27 ... yes 17/28 ... yes 18/29 ... yes 19/30 ... yes 22/32 ... yes 16/33 ... yes 18/34 ... yes 24/35 ... yes 16/36 ... yes 15/38 ... yes 16/39 ... yes 2/40 ... yes 24/41 ... yes 17/42 ... yes 17/43 ... yes 15/44 ... yes 23/45 ... yes 13/46 ... yes 26/47 ... yes 16/48 ... yes 2/49 ... yes 10/50 ... yes 2/54 ... yes 2/56 ... yes 4/57 ... yes 2/58 ... yes 17/59 ... yes 17/61 ... yes 16/62 ... yes 3/63 ... yes 14/65 ... yes 16/66 ... yes 2/67 ... yes 16/68 ... yes 15/69 ... yes 16/70 ... yes 16/71 ... yes 15/72 ... yes 16/73 ... yes 2/75 ... yes 4/76 ... yes 2/77 ... yes 14/78 ... yes 3/79 ... yes 17/80 ... yes 16/81 ... yes 13/83 ... yes 24/84 ... yes 23/85 ... yes 3/86 ... yes 16/87 ... yes 16/88 ... yes 16/89 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.3 ? ... yes (2.3.5) Git version >= 2.7.3 ? ... yes (2.13.6) Git user has default SSH configuration? ... yes Active users: ... 19
Checking GitLab ... Finished
Possible fixes
Only thing I can think of is that the ca_file setting in the LDAP settings for Gitlab might somehow be affecting ALL SSL certificate validation in Gitlab, rather than just for the LDAP server as one would expect.