docker部署gitlab时配置内网https
一、生成自签证书
创建配置文件openssl.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v5_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN #国家
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = BEIJING
localityName = Locality Name (eg, city)
localityName_default = BEIJING
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = MYORG
commonName = TEST #此处修改域名或者ip
commonName_max = 64
emailAddress = test@163.com
[v5_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
subjectAltName = @alt_names
[alt_names]
#此处增加域名和ip,使用https服务器的局域网ip即可,ip可以配置多个,只要一个自行删除
IP.1 = 192.168.0.11
IP.2 = 127.0.0.1
生成证书
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key -config openssl.conf
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extensions v5_req -extfile openssl.conf
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "server"
# 在网上找到个shell脚本生成证书文件,不过本人写文章时看到的,所以没有尝试。
#!/bin/sh
# create self-signed server certificate:
read -p "Enter your hostname or IP : " DOMAIN
echo "Create server key..."
openssl genrsa -des3 -out $DOMAIN.key 1024
echo "Create server certificate signing request..."
SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"
openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
echo "Remove password..."
mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key
echo "Sign SSL certificate..."
openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
echo "TODO:"
echo "Copy $DOMAIN.crt to /home/data/Gitlab/config/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /home/data/Gitlab/config/ssl/$DOMAIN.key"
echo "Add nginx configuration in /home/data/Gitlab/config/gitlab.rb"
# sh 执行脚本
# 第一步要求输入域名或IP地址
# 第二步要求输入密码,至少四位
# 后面会要求确认输入密码
关于server.p12文件使用参考:https://blog.csdn.net/z2926781/article/details/119675720,这里下面没有使用该文件。
二、修改配置文件
# 创建ssl目录,将server.crt,server.key放进去
cd /etc/gitlab
mkdir ssl
mv /opt/server.crt /etc/gitlab/ssl/
mv /opt/server.key /etc/gitlab/ssl/
修改gitlab.rb文件
vim /etc/gitlab/gitlab.rb
external_url 'https://192.168.0.11:5443'
nginx['ssl_certificate'] = "/etc/gitlab/ssl/server.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/server.key"
# 下面为http跳转https配置,不需要可以不加
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
nginx['listen_port'] = 443 #docker部署,容器内端口
gitlab-ctl reconfigure重启生效
三、遇到问题
1、浏览器访问显示不安全
将server.crt文件取出,双击一直下一步即可
2、git clone时出现setting certificate verify locations:
两种解决办法:
第一种:指定验证证书
git config --system http.sslcainfo "E:\server.crt"
第二种:取消证书验证
git config --system http.sslverify false
本以为终于解决时,却发现在使用jenkins拉取gitlab的代码时,又出现了该报错。如果jenkins部署在裸机上可以通过上述方法解决。但是因为jenkins跑在docker上,所以需要修改一下jenkins关于git的配置文件:
vim /etc/gitconfig
[http]
sslVerify = false
gitconfig文件不一定在哪,裸机部署的好像存放在~/.gitcofnig,这个需要找一下。好了问题到此结束,恭喜终于成功啦