Self-signed TLS certificates generated during installation do not include Subject Alternative Name
Summary
Self-signed TLS certificates generated during installation do not include Subject Alternative Name, in violation of
RFC 9525. This causes downstream issues when trying to perform tasks like registering GitLab runners, since
gitlab-runner requires the GitLab TLS certificate to have a Subject Alternate Name matching the specified hostname.
Steps to reproduce
- Install GitLab from package on a host in a private network where it can't be reached by the ACME provider
What is the current bug behavior?
The default self-signed certificate generated during install only includes the hostname in the Subject CN field.
What is the expected correct behavior?
The certificate should include the hostname in the list of Subject Alternate Names for compliance with RFC 9525.
Relevant logs
Relevant logs
# openssl x509 -in /etc/gitlab/ssl/gitlab.example.com.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=gitlab.example.com
Validity
Not Before: Mar 2 18:45:52 2025 GMT
Not After : Apr 1 18:45:52 2025 GMT
Subject: CN=gitlab.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:f2:5f:9f:f7:db:14:4e:e7:dc:1c:21:fa:48:
ce:e0:49:b0:5d:a1:b3:f4:2b:3e:96:c5:3b:af:64:
a2:a6:71:f5:2e:40:34:96:84:cd:b3:6c:cb:68:4a:
99:26:fe:6a:4d:37:74:fe:8b:02:f7:aa:49:2a:3e:
d5:e7:e6:35:7e:9c:c3:0f:99:e8:7c:48:a3:30:55:
11:90:a2:ae:21:5a:36:b8:36:d8:b4:31:24:00:06:
6b:b6:dd:b3:56:4e:a2:ad:2d:61:7f:d7:61:ed:80:
80:d0:40:ac:52:c8:b3:86:57:0c:a5:0c:d3:25:2d:
05:2b:17:bd:0f:5f:d3:2f:78:bc:ba:41:15:e5:c1:
f6:eb:c9:c3:0d:40:84:93:4f:aa:91:90:49:eb:d4:
5b:07:da:d9:85:5f:d8:80:4b:01:c1:38:81:92:8a:
33:7b:a9:ca:f5:20:df:4a:87:96:77:ea:bb:da:12:
f4:0a:02:1f:40:36:de:d1:47:68:3a:0c:f1:0e:a6:
d6:90:96:db:87:4c:85:e2:68:fc:4e:28:4f:6a:c6:
e5:df:80:b4:91:df:d7:72:b2:3b:df:d2:7e:b9:4a:
3a:b2:60:96:76:48:bc:10:81:74:51:69:4e:10:03:
d4:00:3d:b4:e1:4d:d4:e2:33:41:93:61:ae:da:62:
d6:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
2D:51:34:A3:F4:CB:62:91:A0:DD:99:21:5A:40:30:C4:54:04:62:B2
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
4f:a6:49:ce:e8:a9:dc:2d:a6:86:b9:a0:8f:3f:29:32:90:21:
eb:46:29:62:71:10:67:4b:f2:95:08:db:1f:ec:c2:d8:73:2b:
75:7a:b2:07:18:ef:1b:3e:fe:f3:cb:0e:12:97:92:10:8b:a6:
96:8b:2c:64:91:ab:3e:c6:53:e9:62:7b:15:4b:3d:fc:7d:7a:
d4:9f:f3:b1:1a:42:4b:b0:ca:6b:84:ab:e7:a9:bb:c8:0c:45:
c3:5b:87:cf:3f:b4:b7:51:94:f4:d8:72:ff:ba:fd:13:ff:64:
87:c9:39:e2:5a:7c:aa:ce:be:7f:c2:c2:a7:6d:7a:2b:78:8e:
50:fe:60:bb:7c:7b:9e:69:ff:e3:9a:7d:46:45:fe:9d:09:cf:
da:eb:60:b2:8d:3d:2c:cf:17:b3:0f:89:f2:8e:7a:60:dc:bf:
43:40:dc:38:e7:06:6b:cf:73:19:16:a7:ae:06:02:b5:c8:53:
bd:75:2a:38:c1:d8:87:e2:af:7a:a3:d5:7d:2e:b7:b0:31:59:
83:a7:ab:e5:f0:78:15:4e:d7:bc:ff:25:10:4c:84:d5:db:f1:
0d:0a:d8:6f:4f:cc:2e:60:4c:84:eb:72:fc:a1:45:16:d7:00:
49:b5:2b:99:4e:12:33:8a:ca:61:37:c4:96:03:01:74:3b:27:
2b:2f:0e:2e
Details of package version
Provide the package version installation details
# rpm -qa | grep 'gitlab' gitlab-runner-helper-images-17.9.0-1.noarch gitlab-runner-17.9.0-1.x86_64 gitlab-ee-17.9.1-ee.0.el9.x86_64
Environment details
- Operating System: AlmaLinux 9.5 x86_64
- Installation Target:
- Bare Metal Machine
- Installation Type:
- New Installation
- Is there any other software running on the machine: No
- Is this a single or multiple node installation? Single
- Resources
- CPU: 6 Core i7-10710U
- Memory total: 16GB
Configuration details
Provide the relevant sections of `/etc/gitlab/gitlab.rb`
external_url 'https://gitlab.example.com'