gitlab生成证书支持HTTPS方式

yum -y install policycoreutils openssh-server openssh-clients postfix
wget https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7/gitlab-ce-11.4.3-ce.0.el7.x86_64.rpm
yum install policycoreutils-python
rpm -i gitlab-ce-11.4.3-ce.0.el7.x86_64.rpm

yum -y install policycoreutils openssh-server openssh-clients postfix

wget https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7/gitlab-ce-11.4.3-ce.0.el7.x86_64.rpm

yum install policycoreutils-python

rpm -i gitlab-ce-11.4.3-ce.0.el7.x86_64.rpm

证书生成：

1. 创建 Private Key，这里需要输入密码，记住下密码，在下面需要用到

openssl genrsa -des3 -out /etc/gitlab/ssl/gitlab.shooter.com.key 2048

1	openssl genrsa -des3 -out /etc/gitlab/ssl/gitlab.shooter.com.key 2048

2. 生成 Certificate Request

openssl req -new -key /etc/gitlab/ssl/gitlab.shooter.com.key -out /etc/gitlab/ssl/gitlab.shooter.com.csr
输入一些信息

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:shooter
Organizational Unit Name (eg, section) []:shooter
Common Name (eg, your name or your server's hostname) []:gitlab.shooter.com
Email Address []:tuobalongshen@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


翻译:
国家/地区名称（2个字母代码）[XX]：CN
州或省名称（全名）[]：上海
地区名称（例如城市）[默认城市]：上海
组织名称（例如公司）[默认公司有限公司]：shooter
组织单位名称（例如，科）[]：射手
通用名称（例如，您的名称或服务器的主机名）[]：这里要写你颁发证书的域名
电子邮件地址[]：tuobalongshen@126.com
请输入以下“额外”属性
与您的证书请求一起发送
质询密码[]： 可不设
可选的公司名称[]： 可不写

openssl req -new -key /etc/gitlab/ssl/gitlab.shooter.com.key -out /etc/gitlab/ssl/gitlab.shooter.com.csr

输入一些信息

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:shooter

Organizational Unit Name (eg, section) []:shooter

Common Name (eg, your name or your server's hostname) []:gitlab.shooter.com

Email Address []:tuobalongshen@126.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

翻译:

国家/地区名称（2个字母代码）[XX]：CN

州或省名称（全名）[]：上海

地区名称（例如城市）[默认城市]：上海

组织名称（例如公司）[默认公司有限公司]：shooter

组织单位名称（例如，科）[]：射手

通用名称（例如，您的名称或服务器的主机名）[]：这里要写你颁发证书的域名

电子邮件地址[]：tuobalongshen@126.com

请输入以下“额外”属性

与您的证书请求一起发送

质询密码[]：可不设

可选的公司名称[]：可不写

上面2条命令可以进行合并

openssl req -nodes -newkey rsa:2048 -keyout gitlab.shooter.com.key -out gitlab.shooter.com.csr

1	openssl req -nodes -newkey rsa:2048 -keyout gitlab.shooter.com.key -out gitlab.shooter.com.csr

3. 移除Private Key 中的密码短语

cp -v /etc/gitlab/ssl/gitlab.shooter.com.{key,original}
openssl rsa -in /etc/gitlab/ssl/gitlab.shooter.com.original -out /etc/gitlab/ssl/gitlab.shooter.com.key
rm -v /etc/gitlab/ssl/gitlab.shooter.com.original

cp -v /etc/gitlab/ssl/gitlab.shooter.com.{key,original}

openssl rsa -in /etc/gitlab/ssl/gitlab.shooter.com.original -out /etc/gitlab/ssl/gitlab.shooter.com.key

rm -v /etc/gitlab/ssl/gitlab.shooter.com.original

4. 创建证书

openssl x509 -req -days 1460 -in /etc/gitlab/ssl/gitlab.shooter.com.csr -signkey /etc/gitlab/ssl/gitlab.shooter.com.key -out /etc/gitlab/ssl/gitlab.shooter.com.crt

1	openssl x509 -req -days 1460 -in /etc/gitlab/ssl/gitlab.shooter.com.csr -signkey /etc/gitlab/ssl/gitlab.shooter.com.key -out /etc/gitlab/ssl/gitlab.shooter.com.crt

5. 移除证书请求文件

rm -v /etc/gitlab/ssl/gitlab.shooter.com.csr

1	rm -v /etc/gitlab/ssl/gitlab.shooter.com.csr

6. 设置文件权限

chmod 600 /etc/gitlab/ssl/gitlab.shooter.com.*

1	chmod 600 /etc/gitlab/ssl/gitlab.shooter.com.*

gitlab 配置更改

vim /etc/gitlab/gitlab.rb

1	vim /etc/gitlab/gitlab.rb


external_url 'https://gitlab.shooter.com'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/gitlab/ssl/gitlab.shooter.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.shooter.com.key"

external_url 'https://gitlab.shooter.com'

nginx['redirect_http_to_https'] = true

nginx['ssl_certificate']= "/etc/gitlab/ssl/gitlab.shooter.com.crt"

nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.shooter.com.key"

重新加载配置文件并且重启

gitlab-ctl reconfigure
gitlab-ctl restart

1 2	gitlab-ctl reconfigure gitlab-ctl restart

外部NGINX配置修改


upstream  git{
    server  172.17.4.179:443 weight=1;
}
 
server {
    listen 443;
    server_name git.zhubanxian.com;
    ssl on;
    ssl_certificate /etc/nginx/vhosts/git/2220513_gitlab.shooter.com.pem;
    ssl_certificate_key /etc/nginx/vhosts/git/2220513_gitlab.shooter.com.key;
 
 
    location ~ ^/(.*){
        #注意这里使用https
        proxy_pass https://git;
        proxy_set_header REMOTE_ADDR $remote_addr;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 
}
 
server {
    listen 80;
    server_name gitlab.shooter.com;
 
    location ^~ /.well-known/acme-challenge/ {
        alias /data/sites/challenges/;
        try_files $uri = 404;
    }
 
    location / {
        rewrite ^/(.*)$ https://$host/$1 permanent;
    }
}

upstream git{

server 172.17.4.179:443 weight=1;

}

server {

listen 443;

server_name git.zhubanxian.com;

ssl on;

ssl_certificate /etc/nginx/vhosts/git/2220513_gitlab.shooter.com.pem;

ssl_certificate_key /etc/nginx/vhosts/git/2220513_gitlab.shooter.com.key;

location ~ ^/(.*){

#注意这里使用https

proxy_pass https://git;

proxy_set_header REMOTE_ADDR $remote_addr;

proxy_set_header Host $http_host;

proxy_http_version 1.1;

proxy_set_header Connection "";

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

server {

listen 80;

server_name gitlab.shooter.com;

location ^~ /.well-known/acme-challenge/ {

alias /data/sites/challenges/;

try_files $uri = 404;

}

location / {

rewrite ^/(.*)$ https://$host/$1 permanent;

}

本文固定链接: https://www.yoyoask.com/?p=4495
转载请注明: shooter 2018年01月13日于 SHOOTER 发表

最后编辑：2021-01-13

作者：shooter

这个作者貌似有点懒，什么都没有留下。

站内专栏

您可能还会对这些文章感兴趣！