Perl required for 'trusted-certs' functionality, not embedded
When placing certificates in /etc/gitlab/trusted-certs
, recipe gitlab::add_trusted_certs
is run, which eventually calls method c_rehash
in certificate-helper.rb. This shells out to c_rehash
in /opt/gitlab/embedded/bin
, which requires a perl interpreter to run. Since gitlab-omnibus does not embed perl, and this is not necessarily installed on the system (the rpm of course does not specify it as a prerequisite) the certificates never get installed because c_rehash
does not create the appropriate symlinks in /etc/gitlab/trusted-certs
.
Steps to recreate on fresh install:
- Install minimal CentOS 7
- Follow install steps on https://about.gitlab.com/downloads/#centos7 including initial
gitlab-ctl reconfigure
- Place a certificate in /etc/gitlab/trusted-certs (e.g.
curl https://letsencrypt.org/certs/isrgrootx1.pem.txt > /etc/gitlab/trusted-certs/isrgrootx1.pem
) - run
gitlab-ctl reconfigure
Expected outcome:
- Symlink to certificate in
/etc/gitlab/trusted-certs/
(linking to/etc/trusted-certs-isrgrootx1.pem
) - Symlink to certificate in
/opt/gitlab/embedded/ssl/certs/
Actual outcome:
When gitlab::add_trusted_certs
runs, the certificate is not installed because a hash symlink isn't found in /etc/gitlab/trusted-certs/
(because it was never created). No error message indicating c_rehash failed to run is shown.
gitlab-ctl reconfigure
output:
...
Recipe: gitlab::add_trusted_certs
* directory[/etc/gitlab/trusted-certs] action create (up to date)
* directory[/opt/gitlab/embedded/ssl/certs] action create (up to date)
* file[/opt/gitlab/embedded/ssl/certs/README] action create (up to date)
* ruby_block[Move existing certs and link to /opt/gitlab/embedded/ssl/certs] action run
* Moving existing certificates found in /opt/gitlab/embedded/ssl/certs
* Symlinking existing certificates found in /etc/gitlab/trusted-certs
Skipping /etc/gitlab/trusted-certs/isrgrootx1.pem.
...
Installing the system perl
package via yum works around the problem:
# yum install perl
...
# touch /etc/gitlab/trusted-certs/isrgrootx1.pem
# gitlab-ctl reconfigure
...
# ls -l /etc/gitlab/trusted-certs
total 4
lrwxrwxrwx. 1 root root 14 Apr 25 13:23 4042bcee.0 -> isrgrootx1.pem
-rwxr-xr-x. 1 root root 1967 Apr 25 13:23 isrgrootx1.pem
# ls -l /opt/gitlab/embedded/ssl/certs/
total 264
lrwxrwxrwx. 1 root root 40 Apr 25 13:23 4042bcee.0 -> /etc/gitlab/trusted-certs/isrgrootx1.pem
-rw-r--r--. 1 root root 263781 Apr 22 06:36 cacert.pem
-rw-r--r--. 1 root root 147 Apr 25 13:14 README
#
- OS: CentOS Linux release 7.3.1611 (Core)
- Gitlab-Omnibus version: gitlab-ce-9.1.0-ce.0.el7.x86_64