Invoking Webhook from GitLab returns SSL error

Question

When creating a Webhook in GitLab 11.0.2 and testing it, I get this back this error:

Hook execution failed: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error

The Webhook URI is using HTTPS with a public certificate (not self signed).

SSL verification is disabled for this Webhook.

Update

I upgraded openssl1.0.2g to openssl1.0.2o but the error remains.

Then I tried to run:

openssl s_client -connect mywebhookhost:443

That resulted in:

depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate

Update 2

/opt/gitlab/embedded/bin/ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

returns

OpenSSL 1.0.2o 27 Mar 2018

Update 3

GlobalSign CA certs are installed

 awk -v cmd='openssl x509 -noout -subject' '
>     /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep GlobalSign

results in

subject=OU = GlobalSign ECC Root CA - R4, O = GlobalSign, CN = GlobalSign
subject=OU = GlobalSign ECC Root CA - R5, O = GlobalSign, CN = GlobalSign
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
subject=OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
subject=OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign

Answer 1

From this thread, it looks like your openssl is too old

Have been fighting with TLS for a few days, realised my GitLab was running on an old debian8, upgraded to debian9. So now.

python -c "import ssl; print ssl.OPENSSL_VERSION" OpenSSL 1.1.0f 25 May 2017

So start checking/upgrading openssl, for your webhook script to run properly.

Answer 2

I have the same problem and to solve that i need to install root certificates on gitlab server.

See here how to.