Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • omnibus-gitlab omnibus-gitlab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 988
    • Issues 988
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 52
    • Merge requests 52
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar

GitLab 15.0 has launched! Please visit Breaking changes in 15.0 and 15.0 Removals to see which breaking changes may impact your workflow.

  • GitLab.org
  • omnibus-gitlabomnibus-gitlab
  • Issues
  • #2275
Closed
Open
Created Apr 25, 2017 by Andrew Liles@spilk

Perl required for 'trusted-certs' functionality, not embedded

When placing certificates in /etc/gitlab/trusted-certs, recipe gitlab::add_trusted_certs is run, which eventually calls method c_rehash in certificate-helper.rb. This shells out to c_rehash in /opt/gitlab/embedded/bin, which requires a perl interpreter to run. Since gitlab-omnibus does not embed perl, and this is not necessarily installed on the system (the rpm of course does not specify it as a prerequisite) the certificates never get installed because c_rehash does not create the appropriate symlinks in /etc/gitlab/trusted-certs.

Steps to recreate on fresh install:

  • Install minimal CentOS 7
  • Follow install steps on https://about.gitlab.com/downloads/#centos7 including initial gitlab-ctl reconfigure
  • Place a certificate in /etc/gitlab/trusted-certs (e.g. curl https://letsencrypt.org/certs/isrgrootx1.pem.txt > /etc/gitlab/trusted-certs/isrgrootx1.pem)
  • run gitlab-ctl reconfigure

Expected outcome:

  • Symlink to certificate in /etc/gitlab/trusted-certs/ (linking to /etc/trusted-certs-isrgrootx1.pem)
  • Symlink to certificate in /opt/gitlab/embedded/ssl/certs/

Actual outcome:

When gitlab::add_trusted_certs runs, the certificate is not installed because a hash symlink isn't found in /etc/gitlab/trusted-certs/ (because it was never created). No error message indicating c_rehash failed to run is shown.

gitlab-ctl reconfigure output:

...
Recipe: gitlab::add_trusted_certs
  * directory[/etc/gitlab/trusted-certs] action create (up to date)
  * directory[/opt/gitlab/embedded/ssl/certs] action create (up to date)
  * file[/opt/gitlab/embedded/ssl/certs/README] action create (up to date)
  * ruby_block[Move existing certs and link to /opt/gitlab/embedded/ssl/certs] action run

  * Moving existing certificates found in /opt/gitlab/embedded/ssl/certs

  * Symlinking existing certificates found in /etc/gitlab/trusted-certs

 Skipping /etc/gitlab/trusted-certs/isrgrootx1.pem.
...

Installing the system perl package via yum works around the problem:

# yum install perl
...
# touch /etc/gitlab/trusted-certs/isrgrootx1.pem
# gitlab-ctl reconfigure
...
# ls -l /etc/gitlab/trusted-certs
total 4
lrwxrwxrwx. 1 root root   14 Apr 25 13:23 4042bcee.0 -> isrgrootx1.pem
-rwxr-xr-x. 1 root root 1967 Apr 25 13:23 isrgrootx1.pem
# ls -l /opt/gitlab/embedded/ssl/certs/
total 264
lrwxrwxrwx. 1 root root     40 Apr 25 13:23 4042bcee.0 -> /etc/gitlab/trusted-certs/isrgrootx1.pem
-rw-r--r--. 1 root root 263781 Apr 22 06:36 cacert.pem
-rw-r--r--. 1 root root    147 Apr 25 13:14 README
#
  • OS: CentOS Linux release 7.3.1611 (Core)
  • Gitlab-Omnibus version: gitlab-ce-9.1.0-ce.0.el7.x86_64
Assignee
Assign to
Time tracking