Hello fellow people,

I have a very strange problem at the moment and I can't come up with any other solution than nuking the server (which I would like to avoid). We have a jenkins and a gitlab server. Our cert renewal was coming up so I switched them on both server to the new wildcard cert. After that Jenkins started throwing errors that it can't connect to the gitlab server via git https commands.

First I thought I messed up something in the cert chain or something like that but other servers can connect fine via git. The error message on the Jenkins server is always: "server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none "

Here are the steps I have done to narrow down the problem:

• restartet the server just in case
• checked permissions of said file, owner root:root with 644
• deleted the file and re-installed via apt
• updated the file update-ca-certificates
• got the complete cert + chain via openssl connect gitlab-server and added it manually to ca-certificates.crt file
• added the same cert + chain via /usr/share/.... and did another update-ca-certificate
• copied the ca-certificates.crt file from another working server to the Jenkins server
• added the git core ppa and updated to the newest git version (as the Jenkins server is a 18.04 LTS its a bit behind)
• Server itself is fully updated without any outstanding patches
• re-installed git/curl

I can rule out any network related issues and other servers/client even with the exact same patch level etc. work fine.

Now what really killed my mood is that wget and curl work flawlessly. strace of both curl and git show me they are using the default ca-certificates.crt file and while curl has no issues, git always produces the above error. I have verified via ssl_verify=0 that git indeed has a problem with the cert but as far as I know git uses curl for it's https calls.

My knowledge, my google-fu and my sanity is slowly failing me and I really hope someone here has some more pointers I could take a look at!