### Summary Custom certs are not used in Gitlab with global search & lfs. ### Steps to reproduce 1. enable global search following https://docs.gitlab.com/ee/integration/elasticsearch.html with SSL elasticsearch endpoint 2. gitlab-rake gitlab:elastic:create_empty_index ### Example Project n/a ### What is the current *bug* behavior? Gitlab ignores my CA 1. add my ca /etc/gitlab/trusted-certs/myca.pem 2. run reconfigure 3. /opt/gitlab/embedded/ssl/certs/e385f43f.0 was create ``` curl --cacert /opt/gitlab/embedded/ssl/certs/cacert.pem https://myes.lan:9200 KO curl --cacert /opt/gitlab/embedded/ssl/certs/e385f43f.0 https://myes.lan:9200 OK ``` 4. gitlab-rake gitlab:elastic:create_empty_index But I still got an error 500 with SSL Error Now copy the content to cacert ``` cat /opt/gitlab/embedded/ssl/certs/e385f43f.0 >> /opt/gitlab/embedded/ssl/certs/cacert.pem gitlab-ctl restart ``` Both works ``` curl --cacert /opt/gitlab/embedded/ssl/certs/cacert.pem https://myes.lan:9200 OK curl --cacert /opt/gitlab/embedded/ssl/certs/e385f43f.0 https://myes.lan:9200 OK ``` Run gitlab-rake gitlab:elastic:create_empty_index OK ### What is the expected *correct* behavior? Gitlab must allow my CA for any services from Gitlab using both cacert and myca CAs. ### Relevant logs and/or screenshots Nothing in logs ### Output of checks #### Results of GitLab environment info <details> <summary>Expand for output related to GitLab environment info</summary> <pre> $ sudo gitlab-rake gitlab:env:info System information System: RedHatEnterpriseServer 6.9 Proxy: no Current User: git Using RVM: no Ruby Version: 2.3.7p456 Gem Version: 2.6.14 Bundler Version:1.13.7 Rake Version: 12.3.1 Redis Version: 3.2.11 Git Version: 2.16.4 Sidekiq Version:5.0.5 Go Version: unknown GitLab information Version: 10.8.3-ee Revision: 3e7879a Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: https://xxxxxxxxxxxxxxxxxxxxxx HTTP Clone URL: https://xxxxxxxxxxxxxxxxxxxxxx/some-group/some-project.git SSH Clone URL: git@xxxxxxxxxxxxxxxxxxxxxx:some-group/some-project.git Elasticsearch: yes Geo: no Using LDAP: yes Using Omniauth: no GitLab Shell Version: 7.1.2 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git </pre> </details> #### Results of GitLab application Check <details> <summary>Expand for output related to the GitLab application check</summary> <pre> Checking GitLab Shell ... GitLab Shell version >= 7.1.2 ? ... OK (7.1.2) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... XXXX/YYYY ... ok Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.3.7) Git version >= 2.9.5 ? ... yes (2.16.4) Git user has default SSH configuration? ... no ... Active users: ... xxx Elasticsearch version 5.1 - 5.5? ... no (5.6.9) For more information see: doc/integration/elasticsearch.md </pre> </details> ### Possible fixes In reconfigure, may be append custom CAs to cacert or uses all CA configured for gitlab