使用自签名证书支持gitlab https

使用自签名证书支持gitlab https

需求背景

之前按要求搭建了gitlab + gitlab-runner 环境,但是不知道的是,gitlab 默认支持https的选项生成的证书有效期只有一个月,也没找到在哪里配置这个,所以导致服务器一个月后gitlab-runner 无法连接到gitlab,只能reconfig 重新生成,一怒之下,还是觉得应该一劳永逸,做个有效期长点的自签名证书。

提示:本篇文章内容大部分抄自简述知乎一类,不过进行了整合,配合我前面的gitlan-runner 文章,亲测有效。

生成过程

  1. 创建 Private Key 并生成 Certificate Request
    # openssl rsa -in /etc/gitlab/ssl/code.xxxx.loc.original -out /etc/gitlab/ssl/code.xxxx.loc.key
    
root@gitlab-server:~/config# openssl req -nodes -newkey rsa:2048 -keyout code.xxxx.loc.key -out code.xxxx.loc.csr
Generating a RSA private key
........+++++
...................................................................+++++
writing new private key to 'code.xxxx.loc.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JIANGSU
Locality Name (eg, city) []:NANJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:code.xxxx.loc
Organizational Unit Name (eg, section) []:code.xxxx.loc
Common Name (e.g. server FQDN or YOUR name) []:code.xxxx.loc
Email Address []:xxxx@xxxx.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxx
string is too short, it needs to be at least 4 bytes long
A challenge password []:123qwe
An optional company name []:xxxx
  1. 拷贝生成文件至/etc/gitlab/ssl/
    # cp code.xxxx.loc.csr /etc/gitlab/ssl
    # cp code.xxxx.loc.key /etc/gitlab/ssl
    
  2. 创建证书
    # openssl x509 -req -days 36500 -in /etc/gitlab/ssl/code.xxxx.loc.csr -signkey /etc/gitlab/ssl/code.xxxx.loc.key -out /etc/gitlab/ssl/code.xxxx.loc.crt
    
  3. 移除证书请求文件并设置文件权限
    # rm -v /etc/gitlab/ssl/code.xxxx.loc.csr
    # chmod 600 /etc/gitlab/ssl/code.xxxx.loc.*
    
  4. 复制证书到gitlab目录
    # cp /etc/gitlab/ssl/code.xxxx.loc.crt /etc/gitlab/trusted-certs/
    
  5. 修改gitlab.rb
    # vi /etc/gitlab/gitlab.rb
    external_url 'https://code.xxxx.loc'
    etsencrypt['enable'] = false
    nginx['redirect_http_to_https'] = true
    nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.domain.com.crt"
    nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.domain.com.key"
    
  6. gitlab重新配置+更新
    # gitlab-ctl reconfigure
    # gitlab-ctl restart
    
  7. 替换gitlab-runner 里面的crt文件
    cp /data/gitlab/config/ssl/code.xxxx.loc.crt  /srv/gitlab-runner/config/
    

总结

在第一步的生成的时候没注意,有的参数自己随心所欲写的,最后在runner 认证失败才特意去看了下,所以最后每一步基本就是用的域名,这样runner 认证的时候也比较方便。初次尝试,大佬看到有啥不妥的地方还请指出,多谢。

主要参考
[1]: https://www.jianshu.com/p/4111534b339f

上一篇:Pandas(loc,apply)


下一篇:填坑webUI自动化-下拉选择元素