Gitlab - server certificate verification failed

Iḿ using Jenkins and Gitlab both Platforms are using certbot certificates and were deployed in ec2 instances.
Today I started having issues with cloning a repo from Jenkins agents. The error message is shown below:
fatal: unable to access '****://gitlab....../.......git/': server certificate verification failed. CAfile: none CRLfile: none
Basically I have updated and upgraded all packages, and I´ve renewed both certificates using the approach some people are explaining above.
So not sure how can I fix this.
Any idea?
Thanks for your help and support.

1 Like

Hi @juanmcv1616, welcome to the LE community forum :slight_smile:
[I've moved your post to a separate topic to better address your specific problem]

We would need more information to better help you with, like:

  • What is the FQDN that is showing the problem?
  • What O/S is the client using?
  • What version of OpenSSL is the client using?
1 Like

@rg305 Thanks for your support! :raised_hands:

  • ( centos rhel fedora) [OpenSSL 1.0.2k-fips]

  • (centos rhel fedora amazon linux) [OpenSSL 1.0.2k-fips]

OpenSSL < 1.1 may require a patch.
See: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

It seems the GitLab is using the cross-signed X1 root.
This is the normal trust path that supports the most amount of clients.
[and the trusted path used by this site]
Unfortunately, it seems, there is no path that supports all clients.
Your current path should allow older Android devices trusted access.
If you don't need to serve them, you can replace the cross-signed X1 with the self-signed X1 root cert by simply deleting the cross-signed X1 cert from the chain - the self-signed cert should already be in all modern trusted root systems.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.