Fall back to c_rehash if there are multiple TLS certificates (!8720) · Merge requests · GitLab.org / omnibus-gitlab

What does this MR do and why?

This backports !8711 (merged) to 18-3-stable.

The switch to openssl rehash from c_rehash in !8306 (merged) had an unintended breaking change: certificates in /etc/gitlab/trusted-certs are no longer processed if they contain multiple certificates.

To avoid this breaking change, detect the warning and fall back to c_rehash:

!8306 (merged) excluded c_rehash, but in case openssl rehash fails we need to keep this for now.

rehash: warning: skipping godaddy.crt, it does not contain exactly one certificate or CRL

Related #9295 (closed)

Related #9304

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
The original MR has been deployed to GitLab.com (not applicable for documentation or spec changes).
This MR has a severity label assigned (if applicable).

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

Refer to the patch release runbook for engineers and maintainers for guidance.
Ask questions on the #releases Slack channel (internal only).

Edited Sep 11, 2025 by Stan Hu

Fall back to c_rehash if there are multiple TLS certificates

What does this MR do and why?

MR acceptance checklist

Note to the merge request author and maintainer

Merge request reports