Skip to content
GitLab Next
Open
Created by Andrew Liles@spilk

Perl required for 'trusted-certs' functionality, not embedded

When placing certificates in /etc/gitlab/trusted-certs, recipe gitlab::add_trusted_certs is run, which eventually calls method c_rehash in certificate-helper.rb. This shells out to c_rehash in /opt/gitlab/embedded/bin, which requires a perl interpreter to run. Since gitlab-omnibus does not embed perl, and this is not necessarily installed on the system (the rpm of course does not specify it as a prerequisite) the certificates never get installed because c_rehash does not create the appropriate symlinks in /etc/gitlab/trusted-certs.

Steps to recreate on fresh install:

  • Install minimal CentOS 7
  • Follow install steps on https://about.gitlab.com/downloads/#centos7 including initial gitlab-ctl reconfigure
  • Place a certificate in /etc/gitlab/trusted-certs (e.g. curl https://letsencrypt.org/certs/isrgrootx1.pem.txt > /etc/gitlab/trusted-certs/isrgrootx1.pem)
  • run gitlab-ctl reconfigure

Expected outcome:

  • Symlink to certificate in /etc/gitlab/trusted-certs/ (linking to /etc/trusted-certs-isrgrootx1.pem)
  • Symlink to certificate in /opt/gitlab/embedded/ssl/certs/

Actual outcome:

When gitlab::add_trusted_certs runs, the certificate is not installed because a hash symlink isn't found in /etc/gitlab/trusted-certs/ (because it was never created). No error message indicating c_rehash failed to run is shown.

gitlab-ctl reconfigure output:

...
Recipe: gitlab::add_trusted_certs
  * directory[/etc/gitlab/trusted-certs] action create (up to date)
  * directory[/opt/gitlab/embedded/ssl/certs] action create (up to date)
  * file[/opt/gitlab/embedded/ssl/certs/README] action create (up to date)
  * ruby_block[Move existing certs and link to /opt/gitlab/embedded/ssl/certs] action run

  * Moving existing certificates found in /opt/gitlab/embedded/ssl/certs

  * Symlinking existing certificates found in /etc/gitlab/trusted-certs

 Skipping /etc/gitlab/trusted-certs/isrgrootx1.pem.
...

Installing the system perl package via yum works around the problem:

# yum install perl
...
# touch /etc/gitlab/trusted-certs/isrgrootx1.pem
# gitlab-ctl reconfigure
...
# ls -l /etc/gitlab/trusted-certs
total 4
lrwxrwxrwx. 1 root root   14 Apr 25 13:23 4042bcee.0 -> isrgrootx1.pem
-rwxr-xr-x. 1 root root 1967 Apr 25 13:23 isrgrootx1.pem
# ls -l /opt/gitlab/embedded/ssl/certs/
total 264
lrwxrwxrwx. 1 root root     40 Apr 25 13:23 4042bcee.0 -> /etc/gitlab/trusted-certs/isrgrootx1.pem
-rw-r--r--. 1 root root 263781 Apr 22 06:36 cacert.pem
-rw-r--r--. 1 root root    147 Apr 25 13:14 README
#
  • OS: CentOS Linux release 7.3.1611 (Core)
  • Gitlab-Omnibus version: gitlab-ce-9.1.0-ce.0.el7.x86_64