Does not update missing certificates hash in /opt/gitlab/embedded/ssl/certs/ if already exists in /etc/gitlab/trusted-certs
To declare custom CA or self signed certificates within gitlab eco-system, the way to do is to add the .crt file in /etc/gitlab/trusted-certs
.
gitlab-ctl reconfigure
will then compute a hash symlink for each certificates in :
/etc/gitlab/trusted-certs
/opt/gitlab/embedded/ssl/certs/
The latter is the real directory used by software.
The problem occurs when using docker image for omnibus package.
After each re-creation of the container (during a version update for example), the symlink hashes in /opt/gitlab/embedded/ssl/certs/ are lost. Lanunching gitlab-ctl reconfigure
does not fix the problem.
To fix it, we must delete all hashes in /etc/gitlab/trusted-certs
(rm /etc/gitlab/trusted-certs/*.0
) and then relaunch gitlab-ctl reconfigure
which now create the links in /opt/gitlab/embedded/ssl/certs/
.
So it seems that the reconfigure does not update/create hashes in /opt/gitlab/embedded/ssl/certs/
if they are already existing in /etc/gitlab/trusted-certs
.
Symlink hashes in /etc/gitlab/trusted-certs
survive the container re-creation because /etc/gitlab
is mounted as an host volume, as said in docker omnibus doc (to preserve secrets keys at least).