子域验证中的 Gitlab ssl 失败
Posted
技术标签:
【中文标题】子域验证中的 Gitlab ssl 失败【英文标题】:Gitlab ssl in subdomain validation failed 【发布时间】:2019-12-09 05:32:30 【问题描述】:我想在我的 nginx 服务器上安装 gitlab。 我关注this instruction 进行安装。
gitlab-ctl reconfigure给我:
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[gitlab.domain.dev] (letsencrypt::http_authorization line 5) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: RuntimeError: ruby_block[create certificate for gitlab.domain.dev] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [gitlab.domain.dev] Validation failed, unable to request certificate
我用:
Debian 8 Nginx 我的防火墙允许 443 和 80(我有一个 http 站点和一个 https 站点) 我可以访问 sudo(或 root)apt install ca-certificates curl openssh-server postfix
我试试:
在我的 dns 中创建子域gitlab.domain.dev
创建 SSL 证书。使用 certbot 的域
到这一步子域就ok了
安装 gitlab whit EXTERNAL_URL="https://gitlab.domain.dev" apt-get install gitlab-ee
在这一步gitlab.domain.dev什么都不返回
我测试编辑配置文件 (nano /etc/gitlab/gitlab.rb) 如下:
nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.dev/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.dev/privkey.pem"
gitlab-ctl reconfigure
并捕获错误
我也试试this
我不明白为什么我说告诉 gitlab 使用我已经创建的 ssl 证书以及如何让我的子域给 gitlab。
我的 nginx 子域配置文件:
# the nginx server instance
server
server_name gitlab.domain.dev;
root /var/www/gitlab.domain.dev;
index index.html index.htm index.nginx-debian.html;
access_log /var/log/nginx/gitlab.domain.dev.log;
location /
try_files $uri $uri/ =404;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/gitlab.domain.dev/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/gitlab.domain.dev/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server
if ($host = gitlab.domain.dev)
return 301 https://$host$request_uri;
# managed by Certbot
listen 80;
listen [::]:80;
server_name gitlab.domain.dev;
return 404; # managed by Certbot
更新 1
我试试:
将.pem 文件转换为.key 和.crt whit:
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
openssl pkey -in privkey.pem -out foo.key
nano /etc/gitlab/gitlab.rb的值改为:
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.domain.dev.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.domain.dev.key"
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[gitlab.domain.dev] (letsencrypt::http_authorization line 5) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: RuntimeError: ruby_block[create certificate for gitlab.domain.dev] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [gitlab.domain.dev] Validation failed, unable to request certificate
【问题讨论】:
您的 Gitlab 服务器似乎配置了letsencrypt 配置。你的 gitlab.rb 中有这样的行 Letsencrypt['enable'] = true 吗? 【参考方案1】:letsencrypt['enable'] = false 的设置曾经有一个默认值设置为 false,但 GitLab 的更高版本将设置更改为 true 作为默认值。此更改可能会破坏您的服务器脚本,从而导致 ssl 错误,例如有问题的错误。
就我而言,我将自签名证书存储在特定文件夹中,默认设置为 true 会干扰获取自分配证书。一旦我将设置更改为false
Info from official GitLab Docs: “警告:GitLab 12.1 或更高版本将尝试更新任何 Let's Encrypt 证书。如果您打算使用自己的 Let's Encrypt 证书,则必须在 /etc/gitlab/gitlab.rb 中设置letsencrypt ['enable'] = false以禁用集成。否则证书可能会因续订而被覆盖。”
【讨论】:
以上是关于子域验证中的 Gitlab ssl 失败的主要内容,如果未能解决你的问题,请参考以下文章