Skip to content

Deprecate c_rehash and multi certificate bundle handling

Summary

GitLab Omnibus used OpenSSLs c_rehash to prepare custom certificate authorities.

OpenSSL still bundles c_rehash but recommends to use openssl rehash instead, which is a built-in command not relying on perl being installed.

In %18.2 we switched to !8306 (merged) for all supported distros but AmazonLinux 2 (which does not have c_rehash yet).

We had to relax this behavior in !8711 (merged) because openssl rehash does not handle certificate bundles with multiple certificates.

Proposal

  1. Announce deprecation of support for certificate bundles with multiple certificates. (Suggestion: Target the same milestone as Announce AmazonLinux 2 deprecation (#8845)).
  2. In the removal milestone, drop the c_rehash fallback and error out if a certificate with multiple bundles is detected.