从GitLab调用Webhook会返回SSL错误

Question

在GitLab 11.0.2中创建Webhook并对其进行测试时,我得到了这个错误:

Hook execution failed: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error

Webhook URI使用HTTPS和公共证书(不是自签名).

SSL verification 已禁用此Webhook.

更新

我升级openssl1.0.2g到openssl1.0.2o但错误仍然存​​在.

然后我试着跑:

openssl s_client -connect mywebhookhost:443

结果导致:

depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate

更新2

/opt/gitlab/embedded/bin/ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

回报

OpenSSL 1.0.2o 27 Mar 2018

更新3

已安装GlobalSign CA证书

 awk -v cmd='openssl x509 -noout -subject' '
>     /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep GlobalSign

结果是

subject=OU = GlobalSign ECC Root CA - R4, O = GlobalSign, CN = GlobalSign
subject=OU = GlobalSign ECC Root CA - R5, O = GlobalSign, CN = GlobalSign
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
subject=OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
subject=OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign

Answer 1

从这个线程看来，你的 openssl 太旧了

与 TLS 斗争了几天，意识到我的 GitLab 运行在旧的 debian8 上，升级到了 debian9。所以现在。

python -c“导入 ssl；打印 ssl.OPENSSL_VERSION”OpenSSL 1.1.0f 2017 年 5 月 25 日

因此，开始检查/升级 openssl，以使您的 webhook 脚本正常运行。