使用自签名证书支持gitlab https

• 需求背景
• • 生成过程
• 总结

需求背景

之前按要求搭建了gitlab + gitlab-runner 环境，但是不知道的是，gitlab 默认支持https的选项生成的证书有效期只有一个月，也没找到在哪里配置这个，所以导致服务器一个月后gitlab-runner 无法连接到gitlab，只能reconfig 重新生成，一怒之下，还是觉得应该一劳永逸，做个有效期长点的自签名证书。

提示：本篇文章内容大部分抄自简述知乎一类，不过进行了整合，配合我前面的gitlan-runner 文章，亲测有效。

生成过程

1. 创建 Private Key 并生成 Certificate Request

   ＃　openssl rsa -in /etc/gitlab/ssl/code.xxxx.loc.original -out /etc/gitlab/ssl/code.xxxx.loc.key
   

root@gitlab-server:~/config# openssl req -nodes -newkey rsa:2048 -keyout code.xxxx.loc.key -out code.xxxx.loc.csr
Generating a RSA private key
........+++++
...................................................................+++++
writing new private key to 'code.xxxx.loc.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JIANGSU
Locality Name (eg, city) []:NANJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:code.xxxx.loc
Organizational Unit Name (eg, section) []:code.xxxx.loc
Common Name (e.g. server FQDN or YOUR name) []:code.xxxx.loc
Email Address []:xxxx@xxxx.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxx
string is too short, it needs to be at least 4 bytes long
A challenge password []:123qwe
An optional company name []:xxxx

2. 拷贝生成文件至/etc/gitlab/ssl/

   ＃　cp code.xxxx.loc.csr /etc/gitlab/ssl
   ＃　cp code.xxxx.loc.key /etc/gitlab/ssl
   

3. 创建证书

   ＃　openssl x509 -req -days 36500 -in /etc/gitlab/ssl/code.xxxx.loc.csr -signkey /etc/gitlab/ssl/code.xxxx.loc.key -out /etc/gitlab/ssl/code.xxxx.loc.crt
   

4. 移除证书请求文件并设置文件权限

   ＃　rm -v /etc/gitlab/ssl/code.xxxx.loc.csr
   ＃　chmod 600 /etc/gitlab/ssl/code.xxxx.loc.*
   

5. 复制证书到gitlab目录

   ＃　cp /etc/gitlab/ssl/code.xxxx.loc.crt /etc/gitlab/trusted-certs/
   

6. 修改gitlab.rb

   ＃　vi /etc/gitlab/gitlab.rb
   external_url 'https://code.xxxx.loc'
   etsencrypt['enable'] = false
   nginx['redirect_http_to_https'] = true
   nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.domain.com.crt"
   nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.domain.com.key"
   

7. gitlab重新配置+更新

   ＃　gitlab-ctl reconfigure
   ＃　gitlab-ctl restart
   

8. 替换gitlab-runner 里面的crt文件

   cp /data/gitlab/config/ssl/code.xxxx.loc.crt  /srv/gitlab-runner/config/
   

总结

在第一步的生成的时候没注意，有的参数自己随心所欲写的，最后在runner 认证失败才特意去看了下，所以最后每一步基本就是用的域名，这样runner 认证的时候也比较方便。初次尝试，大佬看到有啥不妥的地方还请指出，多谢。

主要参考
[1]: https://www.jianshu.com/p/4111534b339f