子域验证中的 Gitlab ssl 失败

Question

我想在我的 nginx 服务器上安装 gitlab。 我关注this instruction 进行安装。

gitlab-ctl reconfigure给我：

There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[gitlab.domain.dev] (letsencrypt::http_authorization line 5) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: RuntimeError: ruby_block[create certificate for gitlab.domain.dev] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [gitlab.domain.dev] Validation failed, unable to request certificate

我用：

• Debian 8
• Nginx
• 我的防火墙允许 443 和 80（我有一个 http 站点和一个 https 站点）
• 我可以访问 sudo（或 root）
• apt install ca-certificates curl openssh-server postfix

我试试：

• 在我的 dns 中创建子域gitlab.domain.dev
• 创建 SSL 证书。使用 certbot 的域
• 到这一步子域就ok了
• 安装 gitlab whit EXTERNAL_URL="https://gitlab.domain.dev" apt-get install gitlab-ee
• 在这一步gitlab.domain.dev什么都不返回
• 我测试编辑配置文件 (nano /etc/gitlab/gitlab.rb) 如下：

nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.dev/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.dev/privkey.pem"

• 并运行gitlab-ctl reconfigure
• 并捕获错误
• 我也试试this

我不明白为什么我说告诉 gitlab 使用我已经创建的 ssl 证书以及如何让我的子域给 gitlab。

我的 nginx 子域配置文件：

# the nginx server instance
server {

    server_name gitlab.domain.dev;
    root /var/www/gitlab.domain.dev;
    index index.html index.htm index.nginx-debian.html;

    access_log /var/log/nginx/gitlab.domain.dev.log;
    location / {
            try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/gitlab.domain.dev/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/gitlab.domain.dev/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = gitlab.domain.dev) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name gitlab.domain.dev;
    return 404; # managed by Certbot


}

更新 1

我试试：

• 将.pem 文件转换为.key 和.crt whit：

openssl x509 -outform der -in your-cert.pem -out your-cert.crt
openssl pkey -in privkey.pem -out foo.key

• 将gitlab配置文件nano /etc/gitlab/gitlab.rb的值改为：

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.domain.dev.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.domain.dev.key"

• 重新配置：

There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[gitlab.domain.dev] (letsencrypt::http_authorization line 5) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: RuntimeError: ruby_block[create certificate for gitlab.domain.dev] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [gitlab.domain.dev] Validation failed, unable to request certificate

Answer 1

letsencrypt['enable'] = false 的设置曾经有一个默认值设置为 false，但 GitLab 的更高版本将设置更改为 true 作为默认值。此更改可能会破坏您的服务器脚本，从而导致 ssl 错误，例如有问题的错误。

就我而言，我将自签名证书存储在特定文件夹中，默认设置为 true 会干扰获取自分配证书。一旦我将设置更改为false

，问题就解决了

Info from official GitLab Docs： “警告：GitLab 12.1 或更高版本将尝试更新任何 Let's Encrypt 证书。如果您打算使用自己的 Let's Encrypt 证书，则必须在 /etc/gitlab/gitlab.rb 中设置letsencrypt ['enable'] = false以禁用集成。否则证书可能会因续订而被覆盖。”