为gitlab 10.x 配置SSL访问
1 2 | https://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal https://george.betterde.com/20190518.html |
使用 HTTPS
自带 Let’s Encrypt
Gitlab 10.7 版本内置了 Let’s Encrypt,你只需要配置 /etc/gitlab/config/gitlab.rb 如下几个参数就可以,自动启用 HTTPS 了
1. 查看是否开启了端口
1 2 3 4 | firewall-cmd --zone=public --permanent --add-port=443/tcp firewall-cmd --zone=public --permanent --add-port=443/udp firewall-cmd --reload firewall-cmd --list-all //看到有放行443端口了 |
2. 阿里网页防火墙也有开
3. 编辑gitlab.rb文件
1 | vi /etc/gitlab/gitlab.rb |
原本配置
1 2 3 4 5 6 7 8 9 10 11 12 | # letsencrypt['enable'] = nil # letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts # letsencrypt['group'] = 'root' # letsencrypt['key_size'] = 2048 # letsencrypt['owner'] = 'root' # letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www' # See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings # letsencrypt['auto_renew'] = true # letsencrypt['auto_renew_hour'] = 0 # letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified. # letsencrypt['auto_renew_day_of_month'] = "*/4" # letsencrypt['auto_renew_log_directory'] = '/var/log/gitlab/lets-encrypt' |
1 2 3 4 5 6 7 8 9 | letsencrypt['enable'] = true #要关闭时,直接 letsencrypt['auto_renew'] = false external_url "https://gitlab.bndstone.com" #如果你在运行容器时已经指定了,则无需再做配置 letsencrypt['contact_emails'] = ['info@bndstone.com'] #填写你的邮箱,此项非必填 # 自动续签的配置 letsencrypt['auto_renew'] = true letsencrypt['auto_renew_hour'] = "12" letsencrypt['auto_renew_minute'] = "30" letsencrypt['auto_renew_day_of_month'] = "*/7" |
4. 使配置生效
1 | gitlab-ctl reconfigure |
5.先生成证书
1 | gitlab-ctl renew-le-certs |
6. 如果先生成证书,然后使配置生效,会出现如下报错
1 | LetsEncrypt is not enabled in your gitlab.rb. Have you run "gitlab-ctl reconfigure" yet? |
7. 打开 https://gitlab.bndstone.com 页面,发现证书无效.
不过gitlab,官网也是这样,证书无效,想用ZeroSSL的SSL,估计是不行啦.
https://docs.gitlab.com/omnibus/settings/ssl.html
