X509 certificate bundle population not considering SSL_CERT_DIR and SSL_CERT_FILE environment variables
In regular omnibus-gitlab builds, because OpenSSL is built with /opt/gitlab/embedded/ssl/certs
as the location for certificates, OpenSSL::X509::DEFAULT_CERT_DIR
will point to that directory. However, in FIPS builds, we use system OpenSSL, but still want GitLab components to use the same directory. We do this by specifying SSL_CERT_DIR
(and SSL_CERT_FILE
) variables to the components on startup.
However, in our own wrapper around these certificates, we don't consider the presence of these variables. This means, the custom certificates installed via official documentation will not work for components which use the certificate bundle from this wrapper - right now this means Gitaly and Spamcheck clients.
Edited by Balasankar 'Balu' C