Let's Encrypt integration does not serve intermediate certificate
Summary
Gitlab's new Let's Encrypt integration does not serve the intermediate certificate that provides the cross-signed (by Identrust) trust for Let's Encrypt's CA.
This means that systems which do not trust the Let's Encrypt CA certificate by itself and only the Identrust certificate won't be able to verify the certificate chain successfully.
This seems to affect even the Gitlab Runner Docker images from gitlab/gitlab-runner
on Docker Hub.
Steps to reproduce
- Install Gitlab
- Set
letsencrypt['enable'] = true
ingitlab.rb
- After reconfiguring, connect to your instance using:
openssl s_client -showcerts -connect $hostname:443
What is the expected correct behavior?
Two certificates are displayed, the Identrust signature on the Let's Encrypt CA certificate and the certificate provisioned by the instance.
What is the current bug behavior?
Only the provisioned certificate is shown.
Relevant logs and/or screenshots
We noticed this after upgrading and enabling the Let's Encrypt integration when runner connections started failing with:
couldn't execute POST against https://gitlab.langler.no/api/v4/jobs/request: Post https://gitlab.langler.no/api/v4/jobs/request: x509: certificate signed by unknown authority
Our certificates had previously been issued by Let's Encrypt too (via kubernetes-letsencrypt) and were using the full-chain certificate. To fix this we've reverted back to using those certificates instead.
Results of GitLab environment info
GitLab information
Version: 10.5.1
Revision: 21c2ffe