Skip to content

Jira Integration SSL certificate verify failed

Summary

I try to get the Jira Integration running. Both Jira and Gitlab running internally on self hosted VMs.

Steps to reproduce

We setup Gitlab with an internal SSL-Certificate which was created by our Domain Controller CA.

  • Domain-CA
    • gitlab.domain.local

Our Jira is also reachable from the internet and use an Sectigo Certificate.

  • Secticgo-CA
    • Sectigo-Intermediate
      • our-Domain

After configure the jira Integration (url, user and password) we run the "test and save" and getting the error below.

What is the current bug behavior?

/var/log/gitlab/gitlab-rails/integrations_json.log

{"severity":"ERROR","time":"2020-07-12T19:39:57.705Z","correlation_id":"xxxxxxxx","service_class":"JiraService","project_id":31,"project_path":"xxx/jira-test","message":"Error sending message","client_url":"https://xxxxxxx/jira","error":"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)"}

What is the expected correct behavior?

We also use the "save anyway option and we done some test commits and getting the same error in the integration.log /var/log/gitlab/gitlab-rails/integrations_json.log

What I already try

I add the Root CA of the Jira SSL to the CentOS ca-trust and also the complete SSL-Chain (root-ca, intermediate, jira-ssl). A curl -v https://xxxxxx.com to our Jira working fine

[root@gitlab trusted-certs]# curl -v https://xxxx.com/jira

  • About to connect() to xxxx.com port 443 (#0)
  • Trying xx.xx.xx.xx...
  • Connected to xxxx.com (xx.xx.xx.xx) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Server certificate:
  • subject: CN=xxxx.com.OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
  • start date: Oct 14 00:00:00 2019 GMT
  • expire date: Oct 13 23:59:59 2021 GMT
  • common name: xxxx.com
  • issuer: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

GET /jira HTTP/1.1 User-Agent: curl/7.29.0 Host: xxxx.com Accept: /

After a gitlab restart and server reboot and no Change to the error I tried as suggest in gitlab-foss#19426 (comment 12957499) to use the generated Chain to /etc/gitlab/trusted-certs/gen-chain.crt

I also tried as suggest in gitlab-foss#46889 (closed) to use the generated chain from the tool https://github.com/zakjan/cert-chain-resolver

But I could not get it to work.

It there any way to check which certificate gitlab use to verify? Maybe the the files from /etc/gitlab/trusted-certs are not correct named and therefore not used/read.