Allow self-signed certs when adding certs to a pages domain (!134419) · Merge requests · GitLab.org / GitLab

Janis Altherr requested to merge fix-cf-ssl-not-working-with-pages into master Oct 17, 2023

What does this MR do and why?

In !71697 (merged) we introduced a validation of the entire certificate chain that was added to a pages domain, with the focus on automatically added certs by Letsencrypt.

Unfortunately, this broke some workflows as published on our blog whereby users use a Cloudflare Origin Certificate to use TLS-Encryption between CF and Gitlab Pages.

Origin Certificates however are signed by Cloudflare itself and thus cause a self signed cert in chain error when validated against the system trust store.

With this MR I propose exempting self signed certs in chain errors because:

we're not establishing a SSL connection here, just validating the input
the SSL connection needs to be validated by the client that will later use this cert. This client should have its own agency to decide whether to accept a given certificate or not.

How to set up and validate locally

See this blog post for instructions: https://about.gitlab.com/blog/2017/02/07/setting-up-gitlab-pages-with-cloudflare-certificates/

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

cc @mmacfarlane

Edited Oct 27, 2023 by Janis Altherr

Allow self-signed certs when adding certs to a pages domain

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports