如何使用 gitlab 加密? [英] How do I use let’s encrypt with gitlab?

问题描述

当我偶然发现 let's encrypt 时，我开始研究 ssl 证书，我想将它与 gitlab 一起使用，但它是在树莓派 2 上运行并且它现在运行得非常完美(所以我不想搞砸任何事情)，我会去安装一个让我们正确加密 ssl 证书吗?PS:我的安装是综合的

I started to look in to ssl certificates when I stumbled upon let's encrypt, and I wanted to use it with gitlab, however being that it is running on a raspberry pi 2 and its running quite perfectly now (so I dont want to mess anything up), he would I go about installing a lets encrypt ssl certificate properly? PS: My installation is omnibus

推荐答案

根据您的基础架构设置(Raspi、大型云服务器或介于两者之间)，有两种方法:

There are 2 ways depending on your infrastructure setup (Raspi, big Cloud server or something in between):

1. 如果您有一个可从外部访问的服务器(意味着您的 Gitlab 主机可以从 Let´s Encrypt 服务器调用，这是 Let´s Encrypt 的自动验证机制所必需的您拥有"某个域，例如 gitlab.yoursite.com 以及相应的 DNS 解析服务器/主机)唯一需要(从 Gitlab 10.7 版开始)是在 /etc/gitlab/gitlab.rb 中的 Gitlab URL 配置中的 http 中添加 s(如 marcolz已经提到):

1. If you have an externally accessible Server (means your Gitlab host is callable from the Let´s Encrypt servers, which is needed for Let´s Encrypt´s automatic mechanism of verifying that you "own" a certain domain like gitlab.yoursite.com and the corresponding and DNS resolved server/host) the only thing needed (from Gitlab version 10.7 on) is to add an s to the http in your Gitlab URL configuration in /etc/gitlab/gitlab.rb (as marcolz already mentioned):

external_url 'https://gitlab.yoursite.com'

来自 https://中的文档docs.gitlab.com/omnibus/settings/ssl.html#let-39-s-encrypt-integration:

Omnibus-gitlab 可以自动从让我们为您加密.

Omnibus-gitlab can automatically fetch and renew certificates from Let's Encrypt for you.

1. 如果您的 Gitlab 主机 Let´s Encrypt 服务器无法从外部访问，那么整个过程会更加困难！然后，您将离开让 Gitlab Omnibus 为您完成繁重工作的自动方式.您现在肯定需要自己获取 Let´s Encrypt 证书！ 有一些方法可以获取 Let´s Encrypt 证书，而无需外部可访问的服务器.

1. If your Gitlab host is not externally accessible by the Let´s Encrypt servers, the whole process is much harder! You´ll then leave the nice automatic way of letting Gitlab Omnibus do the heavy lifting for you. You definitely need to fetch the Let´s Encrypt certificates on your own now! There are some ways to fetch Let´s Encrypt certificates without the need for an externally accessible server.

我选择并推荐使用替代的 Let´s Encrypt 客户端 dehydrad 和dns-lexicon 与 Let´s Encrypt 一起完全自动化获取证书的过程dns-challenge，它是在 2016 年某处引入的.这是唯一的方法，您不需要外部可访问的服务器 - 但您再次需要拥有"某个域像 gitlab.yoursite.com AND 您需要对托管您的域的 DNS 提供商的 API 访问权限(这里是 在这种情况下支持的 DNS 提供商列表).

The one I choose and would recommend is to use the alternative Let´s Encrypt client dehydrated together with the dns-lexicon to fully automate the process of obtaining the certificates together with the Let´s Encrypt dns-challenge, which was introduced somewhere in 2016. This is the only way, where you don´t need an externally accessible server - but you again need to "own" a certain domain like gitlab.yoursite.com AND you need API access to the DNS provider, which hosts your domain (here´s a list of supported DNS providers in that case).

由于整个过程相当复杂，我创建了一个完全可理解的 Ansible 剧本prepare-gitlab.yml 使用 Omnibus 安装 Gitlab 的每一步都被处理给你(完整的 GitHub 源代码在这里:https://github.com/jonashackt/gitlab-ci-堆栈).

As the whole process is quite complex I created a fully comprehensible Ansible playbook prepare-gitlab.yml where every step of the Gitlab installation with Omnibus is handled for you (full GitHub sources are available here: https://github.com/jonashackt/gitlab-ci-stack).

如果您只想创建 Let´s Encrypt 证书，请查看 obtain-letsencrypt-certs-dehydrad-lexicon.yml - 即使你不想使用 Ansible，你也可以在控制台上手动重现每一步或使用其他自动化工具，如 Chef 或 Saltstack(尽管我个人不能推荐).另一种方法是查看词典专家的这篇精彩博文:https://blog.thesparktree.com/generating-intranet-and-private-network-ssl，从这些描述的步骤中，我基本上开发了剧本.

If you only want to create the Let´s Encrypt certificates, have a look into obtain-letsencrypt-certs-dehydrated-lexicon.yml - even if you don´t want to use Ansible, you can also manually reproduce every step on the console or use another automation tool like Chef or Saltstack (although I can´t recommend that personally). Another way would be to have a look onto this great blogpost from the lexicon guys: https://blog.thesparktree.com/generating-intranet-and-private-network-ssl, from those described steps I basically developed the playbook from.

无论您选择哪种方式，都不要忘记复制手动(或自动)从

Either way you choose, don´t forget to copy the manually (or automatically) fetched Let´s Encrypt certificates from

/srv/dehydrad/certs/{{ gitlab_domain }}/fullchain.pem

到

/etc/gitlab/ssl/{{ gitlab_domain }}.crt

和

/srv/dehydrad/certs/{{ gitlab_domain }}/privkey.pem

到

/etc/gitlab/ssl/{{ gitlab_domain }}.key

Gitlab 会自动为您从那里提取它们，如 手动配置HTTPS的方式

Gitlab will pick them up from there automatically for you, as the docs state in the way to manually configure HTTPS

这篇关于如何使用 gitlab 加密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！