i've set up a GitLab CE Instance for my Company on Azure with the Bitnami GitLab CE Virtual Machine Template.
I immediatly configured docker registry, mattermost, grafana and let's encrypt. Everything worked fine for about a week, and as for today, i can't open any of these services with a HSTS Error in every browser.
when i tried curl https://code.<domain>.io i got the following message:
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.html
I didn't change anything or every restarted anything. This is my GitLab Config File:
# External URL Config
external_url 'https://code.<domain>.io'
mattermost_external_url 'https://mattermost.<domain>.io'
registry_external_url 'https://registry.<domain>.io'
# SMTP Config
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.office365.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "gitlab@<domain>.com"
gitlab_rails['smtp_password'] = "<removed>"
gitlab_rails['smtp_domain'] = "<domain>.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_pool'] = false
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'gitlab@<domain>.com'
gitlab_rails['gitlab_email_display_name'] = '<removed>'
gitlab_rails['gitlab_email_subject_suffix'] = '<removed>'
# OmniAuth Config
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_activedirectory_v2",
"label" => "Azure Active Directory",
"args" => {
"client_id" => "<removed>",
"client_secret" => "<removed>",
"tenant_id" => "<removed>"
}
}
]
# NGINX
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
# Grafana
grafana['enable'] = true
grafana['allow_user_sign_up'] = false
grafana['disable_login_form'] = false
grafana['gitlab_application_id'] = '<removed>'
grafana['gitlab_secret'] = '<removed>'
grafana['gitlab_auth_sign_up'] = true
grafana['alerting_enabled'] = false
# Lets Encrypt
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['<removed>'] # This should be an array of email addresses to add as contacts
letsencrypt['key_size'] = 2048
letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'
letsencrypt['auto_renew'] = true
letsencrypt['auto_renew_hour'] = 12
letsencrypt['auto_renew_minute'] = 30 # Should be a number or cron expression, if specified.
letsencrypt['auto_renew_day_of_month'] = "*/1"
letsencrypt['auto_renew_log_directory'] = '/var/log/gitlab/lets-encrypt'
Logs at /var/log/gitlab/nginx/ don't show anything probably because the browser doesn't even get that far.
I've already read a lot about how gitlabs' let's encrypt integration is trash and buggy and you should probably use another solution, but in this case it would not be a viable option.
I will do it if absolutly necessary, but i'd like to use GitLab's built-in solution if possible.
