Jira Integration SSL certificate verify failed
Summary
I try to get the Jira Integration running. Both Jira and Gitlab running internally on self hosted VMs.
Steps to reproduce
We setup Gitlab with an internal SSL-Certificate which was created by our Domain Controller CA.
- Domain-CA
- gitlab.domain.local
Our Jira is also reachable from the internet and use an Sectigo Certificate.
- Secticgo-CA
- Sectigo-Intermediate
- our-Domain
- Sectigo-Intermediate
After configure the jira Integration (url, user and password) we run the "test and save" and getting the error below.
What is the current bug behavior?
/var/log/gitlab/gitlab-rails/integrations_json.log
{"severity":"ERROR","time":"2020-07-12T19:39:57.705Z","correlation_id":"xxxxxxxx","service_class":"JiraService","project_id":31,"project_path":"xxx/jira-test","message":"Error sending message","client_url":"https://xxxxxxx/jira","error":"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)"}
What is the expected correct behavior?
We also use the "save anyway option and we done some test commits and getting the same error in the integration.log /var/log/gitlab/gitlab-rails/integrations_json.log
What I already try
I add the Root CA of the Jira SSL to the CentOS ca-trust and also the complete SSL-Chain (root-ca, intermediate, jira-ssl). A curl -v https://xxxxxx.com to our Jira working fine
[root@gitlab trusted-certs]# curl -v https://xxxx.com/jira
- About to connect() to xxxx.com port 443 (#0)
- Trying xx.xx.xx.xx...
- Connected to xxxx.com (xx.xx.xx.xx) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
- SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate:
- subject: CN=xxxx.com.OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
- start date: Oct 14 00:00:00 2019 GMT
- expire date: Oct 13 23:59:59 2021 GMT
- common name: xxxx.com
- issuer: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
GET /jira HTTP/1.1 User-Agent: curl/7.29.0 Host: xxxx.com Accept: /
After a gitlab restart and server reboot and no Change to the error I tried as suggest in gitlab-foss#19426 (comment 12957499) to use the generated Chain to /etc/gitlab/trusted-certs/gen-chain.crt
I also tried as suggest in gitlab-foss#46889 (closed) to use the generated chain from the tool https://github.com/zakjan/cert-chain-resolver
But I could not get it to work.
It there any way to check which certificate gitlab use to verify? Maybe the the files from /etc/gitlab/trusted-certs are not correct named and therefore not used/read.