A GitLab backup job fails with the error: "[SSL peer certificate or SSH remote key was not OK] http-resp:[0] url:[https://on-premise-instance.server.com /api/v4/groups?top_level_only=true] server-resp:[_null_] resp-size:[0]".

GitLab backup jobs fail for on-premises hosted instances.

Symptoms

A GitLab backup jobs fails with the following error message in the Command Center: "[SSL peer certificate or SSH remote key was not OK] http-resp:[0] url:[https://on-premise-instance.server.com /api/v4/groups?top_level_only=true] server-resp:[_null_] resp-size:[0]".

Causes

GitLab backup jobs fail because the SSL certificate for on-premise-instance.server.com is invalid.

Resolution

1. Verify SSL Certificate Validity: a. To verify that the SSL certificate for on-premise-instance.server.com is valid, correctly installed, and trusted by the system making the request, run the command: openssl s_client -showcerts -connect on-premise-instance.server.com:443 b. Copy the certificate details, specifically the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and save them to a file, for example, /tmp/git.crt. -----BEGIN CERTIFICATE----- MIIGRjCCBC6gAwIBAgIUHXux7PQaLi8pFagav4yHCy6rdMIwDQYJKoZIhvcNAQEL BQAwgZwxCzAJBgNVBAYTAklOMRIwEAYDVQQIDAlUZWxhbmdhbmExEjAQBgNVBAcM CUh5ZGVyYWJhZDESMBAGA1UECgwJQ29tbXZhdWx0MScwJQYDVQQDDB5HaXRsYWJP blByZW1GUy5pZGNwcm9kY2VydC5sb2MxKDAmBgkqhkiG9w0BCQEWGXNwYXJzaGd1 . . rLtcQ6KJNTK/qSSL8LinAhyXT3S+aTXBx5U= -----END CERTIFICATE-----

2. Merge Certificates: a. Append all relevant system certificates to the newly saved certificate file. On Linux, run the following command: cat /etc/pki/tls/certs/ca-bundle.crt >> /tmp/git.crt

3. Distribute the Certificate: a. Copy the updated certificate file (/tmp/git.crt) to all access nodes.

4. Configure Git to Use the Certificate: a. On all access nodes, configure Git to use the specified CA certificate. git config --global http.sslCAInfo /tmp/git.crt

5. Update Configuration on Access Nodes: a. Add the “sGitSSLCertificateFor_” additional setting to all access nodes under FileSystemAgent/.properties.

   • UNIX:  echo "sGitSSLCertificateFor_on-premise-instance.server.com /tmp/git.crt"            >>/etc/CommVaultRegistry/Galaxy/Instance001/FileSystemAgent/.properties
   • Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Instance001\FileSystemAgent] "sGitSSLCertificateFor_on-premise-instance.server.com"="C:\\temp\\git.crt" The user must see a log line similar to: 73053 11d5d 10/17 17:28:08 40412 GitConnectionUtils::GetCertificates(47) - Additional setting [FileSystemAgent/sGitSSLCertificateFor_on-premise-instance.server.com] present with value [/tmp/git.crt]
     

6. Additional Checks:

   • System Time: Ensure the system clock is accurate, as SSL certificates are time sensitive.
   • Proxy Configuration: If a proxy is used, verify that it handles SSL traffic correctly and that its certificate is trusted.