SSL Issue GITLAB

Hello,

Maybe someone had the same issue and can provide me with a solution.
I have my Own hosted Gitlab server and I would like to use it under Cloudflare.

The thing is I changed a configuration:
/etc/gitlab/gitlab.rb
After that I did:
nginx[‘ssl_certificate’] = “/etc/gitlab/ssl/www.domain.tld.crt”
nginx[‘ssl_certificate_key’] = “/etc/gitlab/ssl/www.domain.tld.key”

Copied the crt and key from Cloudflare
and did:sudo gitlab-ctl reconfigure

When I spoof hosts I can see:
I see invalid SSL, that is generated by Cloudflare and owner is Cloudflare.

When I do this:
curl -svo /dev/null --resolve www.domain.ltd:443:SERVER_IP https://www.domain.ltd
I get:

  • Added www.domain.ltd:SERVER_IP to DNS cache
  • About to connect() to www.domain.ltd port 443 (#0)
  • Trying SERVER_IP…
  • Connected to www.domain.ltd (SERVER_IP) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  •   subject: CN=CloudFlare Origin Certificate,OU=CloudFlare Origin CA,O="CloudFlare, Inc."
    
  •   start date: May 28 12:16:00 2020 GMT
    
  •   expire date: May 25 12:16:00 2035 GMT
    
  •   common name: CloudFlare Origin Certificate
    
  •   issuer: ST=California,L=San Francisco,OU=CloudFlare Origin SSL Certificate Authority,O="CloudFlare, Inc.",C=US
    
  • NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
  • Peer’s Certificate issuer is not recognized.
  • Closing connection 0

But when I use dirrect:

Error 526 Ray ID: 59a868045995b4c0 • 2020-05-28 13:43:44 UTC

Invalid SSL certificate

I have set SSL to strict.

Can anyone please advise on how to resolve this issue?

Thanks.

Did you verify the certificate contains the proper hostnames for your domain?

Lets start with what the domain is.

The certificate was generated by Cloudflare and the domain is connected to Cloudflare.


amberit.in

That is exactly the issue.

You issued your certificate for the naked domain and “ww”. Thats probably not what you wanted.

No, no I need ti to be for www and naked domain.

But for other subdomains I don’t need a SSL.

As mentioned, in that case the certificate is wrong.

But how can it be wrong, if I generated it using cloudflare and also specify naked domain + www?

You will have entered incorrect values.

You will need to recreate it.

This topic was automatically closed after 30 days. New replies are no longer allowed.