Certificate errors after upgrade when using proxy

Description

• Certificate errors occur after upgrade to 17.10 or higher.
• Duo code completions fail with errors like:

  FetchError: request to https://cloud.gitlab.com/ai/v2/completions failed, reason: self signed certificate in certificate chain

• Any Workhorse related connections can be affected.
• Proxy may indicate a handshake timeout.

Environment

This affects environments with a proxy configured.

Impacted offerings:

• GitLab Self-Managed

Impacted versions:

• 17.10 and later

Solution

1. Add the following block into your gitlab.rb of servers running Workhorse

   gitlab_workhorse['env'] = {
     'GODEBUG' => "tlskyber=0"
   }

2. Reconfigure gitlab-ctl reconfigure

Cause

In Go 1.23, post-quantum key exchange mechanism is enabled by default. The size of this can cause some proxies to timeout during handshake.

Additional Information

• This may present differently depending on the proxy in use.
• X25519MLKEM768 key exchange is unlikely to be in use so it is safe to disable at this time.

Related Links

• Update Go version to 1.24.2 epic
• Post-quantum-secure cryptography overview
• Go crypto/tls documentation