Iḿ using Jenkins and Gitlab both Platforms are using certbot certificates and were deployed in ec2 instances.
Today I started having issues with cloning a repo from Jenkins agents. The error message is shown below:
fatal: unable to access '****://gitlab....../.......git/': server certificate verification failed. CAfile: none CRLfile: none
Basically I have updated and upgraded all packages, and I´ve renewed both certificates using the approach some people are explaining above.
So not sure how can I fix this.
Any idea?
Thanks for your help and support.
1 Like
Hi @juanmcv1616, welcome to the LE community forum 
[I've moved your post to a separate topic to better address your specific problem]
We would need more information to better help you with, like:
- What is the FQDN that is showing the problem?
- What O/S is the client using?
- What version of OpenSSL is the client using?
1 Like
@rg305 Thanks for your support! 
-
gitlab.eiya.mx ( centos rhel fedora) [OpenSSL 1.0.2k-fips]
-
jenkins.eiya.mx (centos rhel fedora amazon linux) [OpenSSL 1.0.2k-fips]
OK
OpenSSL < 1.1 may require a patch.
See: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog
---
Certificate chain
0 s:/CN=gitlab.eiya.mx
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
It seems the GitLab is using the cross-signed X1 root.
This is the normal trust path that supports the most amount of clients.
[and the trusted path used by this site]
Unfortunately, it seems, there is no path that supports all clients.
Your current path should allow older Android devices trusted access.
If you don't need to serve them, you can replace the cross-signed X1 with the self-signed X1 root cert by simply deleting the cross-signed X1 cert from the chain - the self-signed cert should already be in all modern trusted root systems.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.