The gitlab-ctl reconfigure command in GitLab CE version 17.0.2 fails to properly apply certain specific parameters.

Summary

gitlab/gitlab-ce:17.0.2-ce.0

In a Docker environment, when configuring the gitlab.rb file, I encounter an issue where specifying the addresses for gitlab_pages['cert'] and gitlab_pages['cert_key'] to set up GitLab Pages does not take effect—the default values are still reflected in the generated gitlab-pages.conf instead of my custom paths.

Strikingly, when I configure the SSL certificate and key paths for GitLab NGINX via nginx['ssl_certificate'] and nginx['ssl_certificate_key'], they correctly take effect in the gitlab-http.conf.

Each time after running gitlab-ctl reconfigure, manual intervention is necessitated to adjust the certificate paths within gitlab-pages.conf.

Encountering the same scenario when setting these paths via environment variables in the docker-compose.yml file.

version: '3.6'
services:
  gitlab:
    image: gitlab/gitlab-ce:17.0.2-ce.0
    container_name: gitlab
    restart: always
    hostname: 'gitlab.xxx.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        # Add any other gitlab.rb configuration here, each on its own line
        external_url 'https://gitlab.xxx.com'
        # GitLab NGINX 
        # The parameter is effective.
        nginx['ssl_certificate'] = "/usr/share/ssl/xxx.com/fullchain.pem"
        nginx['ssl_certificate_key'] = "/usr/share/ssl/xxx.com/privkey.pem"
        # GitLab Pages
        pages_external_url "https://pages.xxx.com/"
        gitlab_pages['enable'] = true
        gitlab_pages['redirect_http'] = true
        gitlab_pages['use_http2'] = true
        gitlab_pages['access_control'] = true
        # Invalid parameter, no parameter effect.
        gitlab_pages['cert'] = "/usr/share/ssl/xxx.com/fullchain.pem"
        gitlab_pages['cert_key'] = "/usr/share/ssl/xxx.com/privkey.pem"
    volumes:
      - '/mnt/drive0/opt/gitlab/config:/etc/gitlab'
      - '/mnt/drive0/opt/gitlab/logs:/var/log/gitlab'
      - '/mnt/drive0/opt/gitlab/data:/var/opt/gitlab'
      - '/mnt/drive0/share/ssl:/usr/share/ssl' # my ssl dir
    shm_size: '256m'

Steps to reproduce

  1. Initialize a new Docker GitLab container.
  2. Obtain a personal SSL certificate and designate its storage path.
  3. Adjust the gitlab.rb configuration file, assigning the same certificate path to both NGINX parameters (nginx['ssl_certificate'], nginx['ssl_certificate_key']) and GitLab Pages settings (gitlab_pages['cert'], gitlab_pages['cert_key']).
  4. Alternatively, utilize the provided docker-compose.yml file to manage the container setup with the aforementioned configurations.

What is the current bug behavior?

Due to an error in acquiring the nginx certificate, the nginx service fails to start normally.

What is the expected correct behavior?

Properly write the configurations into the gitlab-pages.conf file.

Relevant logs and/or screenshots

nginx error.log:

2024/06/15 07:58:03 [emerg] 10903#0: cannot load certificate "/etc/gitlab/ssl/pages.xxx.com.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/pages.xxx.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2024/06/15 07:58:04 [emerg] 10904#0: cannot load certificate "/etc/gitlab/ssl/pages.xxx.com.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/pages.xxx.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2024/06/15 07:58:05 [emerg] 10906#0: cannot load certificate "/etc/gitlab/ssl/pages.xxx.com.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/pages.xxx.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)

1

Results of GitLab environment info

docker image:gitlab-ce:17.0.2

Results of GitLab application Check


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:check SANITIZE=true`)

```
root@gitlab:/# gitlab-rake gitlab:check SANITIZE=true
Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 14.35.0 ? ... OK (14.35.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab App ...

Database config exists? ... yes
Tables are truncated? ... skipped
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Cable config exists? ... yes
Resque config exists? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ... 
2/1 ... yes
2/2 ... yes
2/3 ... yes
2/6 ... yes
2/8 ... yes
2/21 ... yes
2/25 ... yes
2/26 ... yes
2/27 ... yes
2/28 ... yes
2/29 ... yes
2/30 ... yes
2/32 ... yes
14/33 ... yes
2/34 ... yes
13/35 ... yes
2/36 ... yes
2/37 ... yes
3/38 ... yes
17/46 ... yes
2/47 ... yes
2/48 ... yes
2/49 ... yes
2/50 ... yes
2/52 ... yes
2/53 ... yes
2/54 ... yes
18/55 ... yes
19/56 ... yes
20/58 ... yes
22/60 ... yes
2/62 ... yes
3/64 ... yes
2/66 ... yes
2/72 ... yes
2/74 ... yes
2/75 ... yes
2/76 ... yes
2/77 ... yes
2/78 ... yes
2/80 ... yes
2/82 ... yes
2/84 ... yes
20/87 ... yes
20/88 ... yes
20/89 ... yes
20/90 ... yes
20/91 ... yes
28/92 ... yes
2/93 ... yes
20/94 ... yes
3/98 ... yes
3/100 ... yes
28/101 ... yes
20/102 ... yes
28/103 ... yes
20/104 ... yes
20/105 ... yes
2/107 ... yes
2/108 ... yes
Redis version >= 6.2.14? ... yes
Ruby version >= 3.0.6 ? ... yes (3.1.5)
Git user has default SSH configuration? ... yes
Active users: ... 4
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes

Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished
```

Possible fixes

After executing gitlab-ctl reconfigure each time, it's necessary to manually amend the gitlab-http.conf file.