0

I'm having some problems that I hadn't before with Gitlab and Git.

I updated my SSL on my Debian server as I usually do each year and git doesn't work as intended anymore

Apache Web Server and Gitlab CE hosted website are working well with HTTPS.

I verify SSL config attempts with openssl s_client -showcerts -connect mysite.com:port and getting the code 21 always except when I run the command inside the server. Log from another PC Log from localhost


  • Debian 9 up-to-date
  • Gitlab CE latest version
  • GIT 2.11

Output of git config http.sslCAPath:

/etc/ssl/ (before /etc/ssl/certs)

How can I debug better this situation?

Please avoid typing git config --global http.sslVerify false

enter image description here

Otto
  • 145
  • 2
  • 10

1 Answers1

0

You've concatenated the certificates in your certificate chain out of order. Your certificate comes first, followed by the intermediate certificate. But you have these reversed.

You also should not include the CA certificate in your chain. But your chain includes it.

Rebuild your certificate chain, including only your certificate followed by the intermediate certificates.

Consider using a service such as Qualys SSL Server Test to test your configuration.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Do you mean to only concat these two file `COMODORSAAddTrustCA.crt` with `COMODORSADomainValidationSecureServerCA.crt`? How do I refresh the configuration? `git config --global http.sslCAInfo /etc/ssl/new.crt` will work? I use that service but in this case git is blocked outside my home. – Otto Jul 24 '18 at 15:32
  • No, you DO NOT include the CA certificate. As shown in your report, AddTrust External CA should NOT be included. – Michael Hampton Jul 24 '18 at 15:33
  • I updated the OP with an image of my certs, which ones should I use? I tried with https://whatsmychaincert.com/ but no success. Uploaded it to `/etc/ssl/certs` and then did `update-ca-certificates` – Otto Jul 24 '18 at 15:52
  • @Novo Again, you use only your domain certificate and the intermediate certificates. You do NOT include the root CA certificate. Did you not click the link? – Michael Hampton Jul 24 '18 at 15:54
  • Michael, I can't try "Qualys SSL Server Test" because my firewall blocks all ports except http/https outside my network. – Otto Jul 24 '18 at 15:56
  • @Novo Good thing it's https, then! So why can't you try it? – Michael Hampton Jul 24 '18 at 16:03
  • As I said in the OP, Apache and Gitlab CI web instance works well, but `git push` doesn't :S BTW Gitlab is mounted in port 9000 and it's blocked outside my network too – Otto Jul 24 '18 at 16:11
  • So what's stopping you from visiting that web site and reading it? – Michael Hampton Jul 24 '18 at 16:11