Allow self-signed certs when adding certs to a pages domain
What does this MR do and why?
This MR solves #356447 (closed)
In !71697 (merged) we introduced a validation of the entire certificate chain that was added to a pages domain, with the focus on automatically added certs by Letsencrypt.
Unfortunately, this broke some workflows as published on our blog whereby users use a Cloudflare Origin Certificate to use TLS-Encryption between CF and Gitlab Pages.
Origin Certificates however are signed by Cloudflare itself and thus cause a self signed cert in chain
error when validated against the system trust store.
With this MR I propose exempting self signed certs in chain
errors because:
- we're not establishing a SSL connection here, just validating the input
- the SSL connection needs to be validated by the client that will later use this cert. This client should have its own agency to decide whether to accept a given certificate or not.
How to set up and validate locally
See this blog post for instructions: https://about.gitlab.com/blog/2017/02/07/setting-up-gitlab-pages-with-cloudflare-certificates/
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
cc @mmacfarlane