如何使用gitlab加密? [英] How do I use let’s encrypt with gitlab?

问题描述

当我偶然发现让我们加密时，我开始寻找ssl证书，我想将它与gitlab一起使用，但是事实是在raspberry pi 2上运行，并且现在运行得非常完美(因此我不想弄乱任何东西)，他会去正确安装一个let加密ssl证书吗? PS:我的安装是综合

I started to look in to ssl certificates when I stumbled upon let's encrypt, and I wanted to use it with gitlab, however being that it is running on a raspberry pi 2 and its running quite perfectly now (so I dont want to mess anything up), he would I go about installing a lets encrypt ssl certificate properly? PS: My installation is omnibus

推荐答案

有两种方法，具体取决于您的基础架构设置(Raspi，大型云服务器或介于两者之间):

There are 2 ways depending on your infrastructure setup (Raspi, big Cloud server or something in between):

1. 如果您有一个可外部访问的服务器(表示您可以从Let´s Encrypt服务器中调用您的Gitlab主机，这对于Let´s Encrypt的自动验证机制来说是必需的您拥有"一个特定的域，例如gitlab.yoursite.com和相应的DNS解析的服务器/主机)唯一需要的(从Gitlab版本10.7开始)是添加一个 s 转到/etc/gitlab/gitlab.rb中Gitlab URL配置中的 http (如已经提到的 marcolz ) :

1. If you have an externally accessible Server (means your Gitlab host is callable from the Let´s Encrypt servers, which is needed for Let´s Encrypt´s automatic mechanism of verifying that you "own" a certain domain like gitlab.yoursite.com and the corresponding and DNS resolved server/host) the only thing needed (from Gitlab version 10.7 on) is to add an s to the http in your Gitlab URL configuration in /etc/gitlab/gitlab.rb (as marcolz already mentioned):

external_url 'https://gitlab.yoursite.com'

来自 https://中的文档docs.gitlab.com/omnibus/settings/ssl.html#let-39-s-encrypt-integration :

Omnibus-gitlab可以从以下位置自动获取和续订证书 让我们为您加密.

Omnibus-gitlab can automatically fetch and renew certificates from Let's Encrypt for you.

1. 如果Let's Encrypt服务器无法从外部访问您的Gitlab主机，那么整个过程将变得更加困难！然后，您将留下让Gitlab Omnibus为您完成繁重工作的好方法. 您肯定需要立即自己获取Let's Encrypt证书！有一些方法无需外部访问服务器即可获取Let´s Encrypt证书.

1. If your Gitlab host is not externally accessible by the Let´s Encrypt servers, the whole process is much harder! You´ll then leave the nice automatic way of letting Gitlab Omnibus do the heavy lifting for you. You definitely need to fetch the Let´s Encrypt certificates on your own now! There are some ways to fetch Let´s Encrypt certificates without the need for an externally accessible server.

我选择并建议的方法是使用替代的Let's Encrypt客户端脱水和 dns-lexicon 来完全自动化获取证书以及Let's Encrypt dns-challenge的过程，它是在2016年某个地方引入的.这是唯一的方法，您不需要外部可访问的服务器-但您又需要拥有"某个域，例如gitlab.yoursite.com AND ，您需要对DNS提供商的API访问权，该DNS提供商托管您的域(此处受支持的列表DNS提供商).

The one I choose and would recommend is to use the alternative Let´s Encrypt client dehydrated together with the dns-lexicon to fully automate the process of obtaining the certificates together with the Let´s Encrypt dns-challenge, which was introduced somewhere in 2016. This is the only way, where you don´t need an externally accessible server - but you again need to "own" a certain domain like gitlab.yoursite.com AND you need API access to the DNS provider, which hosts your domain (here´s a list of supported DNS providers in that case).

由于整个过程非常复杂，因此我创建了一个完全可理解的 Ansible 剧本 https://github.com/jonashackt/gitlab-ci -stack ).

As the whole process is quite complex I created a fully comprehensible Ansible playbook prepare-gitlab.yml where every step of the Gitlab installation with Omnibus is handled for you (full GitHub sources are available here: https://github.com/jonashackt/gitlab-ci-stack).

如果您只想创建Let's Encrypt证书，请查看 https://blog.thesparktree.com/generating-intranet-and-private-network-ssl ，这些描述的步骤基本上是我从中开发剧本的.

If you only want to create the Let´s Encrypt certificates, have a look into obtain-letsencrypt-certs-dehydrated-lexicon.yml - even if you don´t want to use Ansible, you can also manually reproduce every step on the console or use another automation tool like Chef or Saltstack (although I can´t recommend that personally). Another way would be to have a look onto this great blogpost from the lexicon guys: https://blog.thesparktree.com/generating-intranet-and-private-network-ssl, from those described steps I basically developed the playbook from.

无论选择哪种方式，请不要忘记手动(或自动)复制从

Either way you choose, don´t forget to copy the manually (or automatically) fetched Let´s Encrypt certificates from

/srv/dehydrated/certs/{{ gitlab_domain }}/fullchain.pem

到

/etc/gitlab/ssl/{{ gitlab_domain }}.crt

和

/srv/dehydrated/certs/{{ gitlab_domain }}/privkey.pem

到

/etc/gitlab/ssl/{{ gitlab_domain }}.key

Gitlab会为您自动从那里获取它们，因为文档在手动配置HTTPS的方式

Gitlab will pick them up from there automatically for you, as the docs state in the way to manually configure HTTPS

这篇关于如何使用gitlab加密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！