The error is back in 10.1: Net::LDAP::Error (SSL_connect returned=1 errno=0 state=error: certificate verify failed)
Background: after the upgrade from 9.5.5-ee to 10.1.0-ee, users cannot login over LDAP, nor can hey do any git remote operations with https:// urls outside of the Kerberized domain. Kerberos and ssh seem to be unaffected.
This has been reported many times (https://gitlab.com/gitlab-org/gitlab-ce/issues/36330, https://gitlab.com/gitlab-org/gitlab-ce/issues/35816, https://gitlab.com/gitlab-org/gitlab-ce/issues/35752) and reported fixed in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/13185. However, I am getting exactly the same error well past that version.
We are using the certificate signed by the internal company CA, can this be a clue? But one of the reporters also did.
Here are the relevant log snippets:
==> /var/log/gitlab/nginx/gitlab_access.log <==
10.40.1.15 - - [30/Oct/2017:13:48:56 -0700] "GET /d*****e/re******ry.git/info/refs?service=git-upload-pack HTTP/1.1" 401 26 "" "git/2.11.0"
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/d*****e/re******ry.git/info/refs?service=git-upload-pack" for 10.40.1.15 at 2017-10-30 13:48:56 -0700
Processing by Projects::GitHttpController#info_refs as */*
Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"d*****e", "project_id"=>"re******ry.git"}
Completed 500 Internal Server Error in 26ms (ActiveRecord: 1.9ms | Elasticsearch: 0.0ms)
==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/d*****e/re******ry.git/info/refs","format":"*/*","controller":"Projects::GitHttpController","action":"info_refs","status":500,"error":"Net::LDAP::Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed","duration":26.93,"view":0.0,"db":1.93,"time":"2017-10-30T20:48:56.963Z","params":{"service":"git-upload-pack","namespace_id":"d*****e","project_id":"re******ry.git"},"remote_ip":"10.40.1.15","user_id":null,"username":null}
==> /var/log/gitlab/gitlab-rails/production.log <==
Net::LDAP::Error (SSL_connect returned=1 errno=0 state=error: certificate verify failed):
lib/gitlab/ldap/authentication.rb:37:in `login'
lib/gitlab/ldap/authentication.rb:18:in `block in login'
lib/gitlab/ldap/authentication.rb:16:in `each'
lib/gitlab/ldap/authentication.rb:16:in `find'
lib/gitlab/ldap/authentication.rb:16:in `login'
lib/gitlab/auth.rb:58:in `block in find_with_user_password'
lib/gitlab/auth/unique_ips_limiter.rb:17:in `limit_user!'
lib/gitlab/auth.rb:49:in `find_with_user_password'
lib/gitlab/auth.rb:107:in `user_with_password_for_git'
lib/gitlab/auth.rb:32:in `find_for_git_client'
app/controllers/projects/git_http_client_controller.rb:99:in `handle_basic_authentication'
app/controllers/projects/git_http_client_controller.rb:35:in `authenticate_user'
lib/gitlab/i18n.rb:47:in `with_locale'
lib/gitlab/i18n.rb:53:in `with_user_locale'
app/controllers/application_controller.rb:349:in `set_locale'
lib/gitlab/middleware/multipart.rb:93:in `call'
lib/gitlab/request_profiler/middleware.rb:14:in `call'
lib/gitlab/jira/middleware.rb:15:in `call'
lib/gitlab/middleware/go.rb:17:in `call'
lib/gitlab/etag_caching/middleware.rb:11:in `call'
lib/gitlab/middleware/read_only.rb:30:in `call'
lib/gitlab/request_context.rb:18:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'
==> /var/log/gitlab/gitlab-workhorse/current <==
2017-10-30_20:48:56.99304 gitlab.a2i2.c @ - - [2017-10-30 13:48:56.946374136 -0700 PDT] "GET /d*****e/re******ry.git/info/refs?service=git-upload-pack HTTP/1.1" 500 2902 "" "git/2.11.0" 0.046503Edited by Kirill 'kkm' Katsnelson