Pages access control doesn't pick-up custom CA certs on authentication
Problem to solve
Pages access control doesn't pick-up custom CA certs on authentication. Pages access control is not usable.
Further details
Running gitlab with a self signed certificate resolved by a reverse proxy.
==> /var/log/gitlab/gitlab-pages/current <==
...
level=debug msg="Fetching access token failed" error="Post https://<git domain>/oauth/token: x509: certificate signed by unknown authority" host=...
# results in a 503
echo -n | openssl s_client -connect <git domain>:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/ssl/certs/gitlab.crt
# ca-certificates
yum install ca-certificates
update-ca-trust force-enable
cp /etc/ssl/certs/gitlab.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
gitlab-ctl reconfigure
# doesn't work :(
# https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates
cp /etc/ssl/certs/gitlab.crt /etc/gitlab/trusted-certs/
gitlab-ctl reconfigure
# doesn't work :(
# hack
cat /etc/ssl/certs/gitlab.crt >> /opt/gitlab/embedded/ssl/certs/cacert.pem
gitlab-ctl reconfigure
# works :)
What else do you need?
Proposal
Pages access control takes /etc/gitlab/trusted-certs/
or ca-certificates
into account.
What does success look like, and how can we measure that?
Pages access control works on gitlab with self signed certificate resolved by a reverse proxy.
Links / references
https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates
https://docs.gitlab.com/ee/administration/pages/#using-a-custom-certificate-authority-ca
Edited by Ben Bodenmiller