Skip to content

gitlab-ctl reconfigure overwriting SSL private key

I have just setup a new omnibus installation, and whenever I run gitlab-ctl reconfigure it overwrites my SSL private key. The key is not self generated and is a valid wildcard.

Here is the contents of my gitlab.rb: (domain names have been changed to example.com)

external_url 'https://gitlab.example.com'
registry_external_url 'https://registry.example.com'

 gitlab_rails['time_zone'] = 'UTC'
 gitlab_rails['gitlab_email_enabled'] = false
 gitlab_rails['gitlab_default_can_create_group'] = false
 gitlab_rails['gitlab_username_changing_enabled'] = false
 gitlab_rails['gitlab_default_theme'] = 2
 gitlab_rails['gitlab_default_projects_features_issues'] = false
 gitlab_rails['gitlab_default_projects_features_merge_requests'] = false
 gitlab_rails['gitlab_default_projects_features_wiki'] = false
 gitlab_rails['gitlab_default_projects_features_snippets'] = false
 gitlab_rails['gitlab_default_projects_features_builds'] = true
 gitlab_rails['gitlab_default_projects_features_container_registry'] = true
 gitlab_rails['gitlab_repository_downloads_path'] = 'tmp/repositories'

 gitlab_rails['artifacts_enabled'] = true
 gitlab_rails['artifacts_path'] = "/mnt/storage/artifacts"
 gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"
 gitlab_rails['rate_limit_requests_per_period'] = 10
 gitlab_rails['rate_limit_period'] = 60

 gitlab_rails['registry_enabled'] = true
 gitlab_rails['registry_host'] = "registry.example.com"
 gitlab_rails['registry_port'] = "443"
 gitlab_rails['registry_api_url'] = "http://localhost:5000"
 gitlab_rails['registry_key_path'] = "/etc/gitlab/ssl/gitlab.example.com.key"
 gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
 gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"

 registry['enable'] = true
 registry['username'] = "registry"
 registry['group'] = "registry"
 registry['dir'] = "/var/opt/gitlab/registry"
 registry['log_directory'] = "/var/log/gitlab/registry"
 registry['log_level'] = "info"
 registry['rootcertbundle'] = "/etc/gitlab/ssl/gitlab.example.com.crt"
 registry['storage_delete_enabled'] = true

 nginx['enable'] = true
 nginx['client_max_body_size'] = '250m'
 nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
 nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.example.com.crt"
 nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
 nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
 nginx['ssl_prefer_server_ciphers'] = "on"
 nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
 nginx['ssl_session_cache'] = "builtin:1000  shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html

 registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.example.com.crt"
 registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"

Any ideas on what would be causing this?