Merge branch 'docs-ssl-troubleshooting' into 'master'

Creates SSL troubleshooting doc

See merge request gitlab-org/gitlab!22743

doc/administration/index.md

@@ -222,6 +222,7 @@ who are aware of the risks.
 - [Troubleshooting PostgreSQL](troubleshooting/postgresql.md)
 - [Guide to test environments](troubleshooting/test_environments.md) (for Support Engineers)
 - [GitLab Rails console commands](troubleshooting/gitlab_rails_cheat_sheet.md) (for Support Engineers)
+- [Troubleshooting SSL](troubleshooting/ssl.md)
 - Useful links:
   - [GitLab Developer Docs](../development/README.md)
   - [Repairing and recovering broken Git repositories](https://git.seveas.net/repairing-and-recovering-broken-git-repositories.html)

doc/administration/troubleshooting/ssl.md

+---
+type: reference
+---
+
+# Troubleshooting SSL
+
+This page contains a list of common SSL-related errors and scenarios that you may face while working with GitLab.
+It should serve as an addition to the main SSL docs available here:
+
+- [Omniibus SSL Configuration](https://docs.gitlab.com/omnibus/settings/ssl.html)
+- [Self-signed certificates or custom Certification Authorities for GitLab Runner](https://docs.gitlab.com/runner/configuration/tls-self-signed.html)
+- [Manually configuring HTTPS](https://docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https)
+
+## Using an internal CA certificate with GitLab
+
+After configuring a GitLab instance with an internal CA certificate, you might not be able to access it via various CLI tools. You may see the following symptoms:
+
+- `curl` fails:
+
+  ```shell
+  curl https://gitlab.domain.tld
+  curl: (60) SSL certificate problem: unable to get local issuer certificate
+  More details here: https://curl.haxx.se/docs/sslcerts.html
+  ```
+
+- Testing via the [rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session) also fails:
+
+  ```ruby
+  uri = URI.parse("https://gitlab.domain.tld")
+  http = Net::HTTP.new(uri.host, uri.port)
+  http.use_ssl = true
+  http.verify_mode = 1
+  response = http.request(Net::HTTP::Get.new(uri.request_uri))
+  ...
+  Traceback (most recent call last):
+        1: from (irb):5
+  OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate))
+  ```
+
+- The error `SSL certificate problem: unable to get local issuer certificate` is shown when setting up a [mirror](../../user/project/repository/repository_mirroring.md#repository-mirroring) from this GitLab instance.
+- `openssl` works when specifying the path to the certificate:
+
+  ```shell
+  /opt/gitlab/embedded/bin/openssl s_client -CAfile /root/my-cert.crt -connect gitlab.domain.tld:443
+  ```
+
+If you have the problems listed above, add your certificate to `/etc/gitlab/trusted-certs` and run `sudo gitlab-ctl reconfigure`.
+
+## Mirroring a remote GitLab repository that uses a self-signed SSL certificate
+
+**Scenario:** When configuring a local GitLab instance to [mirror a repository](../../user/project/repository/repository_mirroring.md) from a remote GitLab instance that uses a self-signed certificate, you may see the `SSL certificate problem: self signed certificate` error in the UI.
+
+The cause of the issue can be confirmed by checking if:
+
+- `curl` fails:
+
+  ```shell
+  $ curl https://gitlab.domain.tld
+  curl: (60) SSL certificate problem: self signed certificate
+  More details here: https://curl.haxx.se/docs/sslcerts.html
+  ```
+
+- Testing via the Rails console also fails:
+
+  ```ruby
+  uri = URI.parse("https://gitlab.domain.tld")
+  http = Net::HTTP.new(uri.host, uri.port)
+  http.use_ssl = true
+  http.verify_mode = 1
+  response = http.request(Net::HTTP::Get.new(uri.request_uri))
+  ...
+  Traceback (most recent call last):
+        1: from (irb):5
+  OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate))
+  ```
+
+To fix this problem:
+
+- Add the self-signed certificate from the remote GitLab instance to the `/etc/gitlab/trusted-certs` directory on the local GitLab instance and run `sudo gitlab-ctl reconfigure` as per the instructions for [installing custom public certificates](https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates).
+- If your local GitLab instance was installed using the Helm Charts, you can [add your self-signed certificate to your GitLab instance](https://docs.gitlab.com/runner/install/kubernetes.html#providing-a-custom-certificate-for-accessing-gitlab).
+
+## Unable to perform Git operations due to an internal or self-signed certificate
+
+If your GitLab instance is using a self-signed certificate, or the certificate is signed by an internal certificate authority (CA), you might run into the following errors when attempting to perform Git operations:
+
+```bash
+$ git clone https://gitlab.domain.tld/group/project.git
+Cloning into 'project'...
+fatal: unable to access 'https://gitlab.domain.tld/group/project.git/': SSL certificate problem: self signed certificate
+```
+
+```bash
+$ git clone https://gitlab.domain.tld/group/project.git
+Cloning into 'project'...
+fatal: unable to access 'https://gitlab.domain.tld/group/project.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
+```
+
+To fix this problem:
+
+- If possible, use SSH remotes for all Git operations. This is considered more secure and convenient to use.
+- If you must use HTTPS remotes, you can try the following:
+  - Copy the self signed certificate or the internal root CA certificate to a local directory (for example, `~/.ssl`) and configure Git to trust your certificate:
+
+    ```shell
+    git config --global http.sslCAInfo ~/.ssl/gitlab.domain.tld.crt
+    ```
+
+  - Disable SSL verification in your Git client. Note that this intended as a temporary measure as it could be considered a **security risk**.
+
+    ```bash
+    git config --global http.sslVerify false
+    ```