Reputation: 4576
Old SSL certificate still being served after renewing it
A few weeks ago I installed a new ssl certificate to replace an expiring one. The file name for the .crt and .key remained the same. Only the contents changed.
Now when I go to my site it says the the certificate has expired and I see that it is using the old certificate chain. I can confirm the contents of the crt and key are the updated ones.
Output of gitlab-ctl status
run: gitlab-workhorse: (pid 30354) 18091s; run: log: (pid 15271) 21131317s
run: logrotate: (pid 7332) 91s; run: log: (pid 30308) 21128931s
run: mailroom: (pid 30436) 18060s; run: log: (pid 15266) 21131317s
run: nginx: (pid 3586) 1761s; down: log: 0s, normally up, want up
run: postgresql: (pid 30446) 18059s; run: log: (pid 10566) 13738330s
run: redis: (pid 30448) 18059s; run: log: (pid 10696) 13738292s
run: sidekiq: (pid 30463) 18057s; run: log: (pid 15264) 21131317s
run: unicorn: (pid 30487) 18053s; run: log: (pid 15267) 21131317s
Output of gitlab-ctl tail nginx
2016/11/28 21:26:20 [crit] 6852#0: *13180076 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client: 55.108.238.72, server: 0.0.0.0:443
2016/11/28 21:26:23 [crit] 6852#0: *13180077 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client: 55.108.238.72, server: 0.0.0.0:443
Those critical messages happen every 3 seconds.
I've restarted the nginx process but it did nothing. I've also ran gitlab-ctl reconfigure but to no avail. My /etc/gitlab/gitlab.rb file has not changed. It still has the nginx ssl path
nginx['ssl_certificate'] = "/etc/pki/tls/certs/sitename.com.crt"
nginx['ssl_certificate_key'] = "/etc/pki/tls/private/sitename.com.key"
And it also has the external_url
external_url 'https://sitename.com/'
Upvotes: 5
Views: 6774
Answers (2)
Reputation: 430
Nginx will check for files ending in .conf in the /etc/nginx/conf.d directory for additional configuration. So check if you have created some file called ssl.conf and have configured the new SSL certificate in it.
Please run the following command to check the certificate validation:
openssl x509 -inform pem -in cerfile.cer -noout -text
Upvotes: 1
Reputation: 1731
Certificates are loaded when the webserver starts, so you need to reload/restart when updating them.
Upvotes: 1
Related Questions
- Gitlab doesn't loads new ssl cert and key
- Unable to access GitLab: SSL certificate has expired
- Gitlab : gitlab-http.conf revert back to original
- Gitlab fatal: unable to access '.......' SSL Certificate problem: unable to get issuer certificate
- gitlab runner - x509: certificate signed by unknown authority
- Can't stop Gitlab's built-in Nginx
- gitlab docker login failed : certificate signed by unknown authority
- Configure gitlab omnibus with HTTPS without certificate for nginx on AWS
- Nginx is getting old ssl certificate
- Renewal expired SSL certificate not being loaded Nginx