Custom CACert are ignored in S3 LFS or Elasticsearch global search

Summary

Custom certs are not used in Gitlab with global search & lfs.

Steps to reproduce

  1. enable global search following https://docs.gitlab.com/ee/integration/elasticsearch.html with SSL elasticsearch endpoint
  2. gitlab-rake gitlab:elastic:create_empty_index

Example Project

n/a

What is the current bug behavior?

Gitlab ignores my CA

  1. add my ca /etc/gitlab/trusted-certs/myca.pem
  2. run reconfigure
  3. /opt/gitlab/embedded/ssl/certs/e385f43f.0 was create
    curl --cacert /opt/gitlab/embedded/ssl/certs/cacert.pem https://myes.lan:9200
    KO
    curl --cacert /opt/gitlab/embedded/ssl/certs/e385f43f.0 https://myes.lan:9200
    OK
  1. gitlab-rake gitlab:elastic:create_empty_index

But I still got an error 500 with SSL Error

Now copy the content to cacert

    cat /opt/gitlab/embedded/ssl/certs/e385f43f.0  >> /opt/gitlab/embedded/ssl/certs/cacert.pem
    gitlab-ctl restart

Both works

    curl --cacert /opt/gitlab/embedded/ssl/certs/cacert.pem https://myes.lan:9200
    OK
    curl --cacert /opt/gitlab/embedded/ssl/certs/e385f43f.0 https://myes.lan:9200
    OK

Run

gitlab-rake gitlab:elastic:create_empty_index
OK

What is the expected correct behavior?

Gitlab must allow my CA for any services from Gitlab using both cacert and myca CAs.

Relevant logs and/or screenshots

Nothing in logs

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
$ sudo gitlab-rake gitlab:env:info
System information
System:     RedHatEnterpriseServer 6.9
Proxy:      no
Current User:   git
Using RVM:  no
Ruby Version:   2.3.7p456
Gem Version:    2.6.14
Bundler Version:1.13.7
Rake Version:   12.3.1
Redis Version:  3.2.11
Git Version:    2.16.4
Sidekiq Version:5.0.5
Go Version: unknown

GitLab information
Version:    10.8.3-ee
Revision:   3e7879a
Directory:  /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
DB Version: 9.6.8
URL:        https://xxxxxxxxxxxxxxxxxxxxxx
HTTP Clone URL: https://xxxxxxxxxxxxxxxxxxxxxx/some-group/some-project.git
SSH Clone URL:  git@xxxxxxxxxxxxxxxxxxxxxx:some-group/some-project.git
Elasticsearch:  yes
Geo:        no
Using LDAP: yes
Using Omniauth: no


GitLab Shell
Version:    7.1.2
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab Shell ...

GitLab Shell version >= 7.1.2 ? ... OK (7.1.2)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...


XXXX/YYYY ... ok


Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.3.7)
Git version >= 2.9.5 ? ... yes (2.16.4)
Git user has default SSH configuration? ... no
...
Active users: ... xxx
Elasticsearch version 5.1 - 5.5? ... no (5.6.9)
For more information see:
doc/integration/elasticsearch.md

Possible fixes

In reconfigure, may be append custom CAs to cacert or uses all CA configured for gitlab

Edited by Ahmet Demir