如何使用 gitlab 加密? [英] How do I use let’s encrypt with gitlab?
问题描述
当我偶然发现 let's encrypt 时,我开始研究 ssl 证书,我想将它与 gitlab 一起使用,但它是在树莓派 2 上运行并且它现在运行得非常完美(所以我不想搞砸任何事情),我会去安装一个让我们正确加密 ssl 证书吗?PS:我的安装是综合的
I started to look in to ssl certificates when I stumbled upon let's encrypt, and I wanted to use it with gitlab, however being that it is running on a raspberry pi 2 and its running quite perfectly now (so I dont want to mess anything up), he would I go about installing a lets encrypt ssl certificate properly? PS: My installation is omnibus
推荐答案
根据您的基础架构设置(Raspi、大型云服务器或介于两者之间),有两种方法:
There are 2 ways depending on your infrastructure setup (Raspi, big Cloud server or something in between):
如果您有一个可从外部访问的服务器(意味着您的 Gitlab 主机可以从 Let´s Encrypt 服务器调用,这是 Let´s Encrypt 的自动验证机制所必需的您拥有"某个域,例如
gitlab.yoursite.com
以及相应的 DNS 解析服务器/主机)唯一需要(从 Gitlab 10.7 版开始)是在/etc/gitlab/gitlab.rb
中的 Gitlab URL 配置中的 http 中添加 s(如 marcolz已经提到):
If you have an externally accessible Server (means your Gitlab host is callable from the Let´s Encrypt servers, which is needed for Let´s Encrypt´s automatic mechanism of verifying that you "own" a certain domain like
gitlab.yoursite.com
and the corresponding and DNS resolved server/host) the only thing needed (from Gitlab version 10.7 on) is to add an s to the http in your Gitlab URL configuration in/etc/gitlab/gitlab.rb
(as marcolz already mentioned):
external_url 'https://gitlab.yoursite.com'
来自 https://中的文档docs.gitlab.com/omnibus/settings/ssl.html#let-39-s-encrypt-integration:
Omnibus-gitlab 可以自动从让我们为您加密.
Omnibus-gitlab can automatically fetch and renew certificates from Let's Encrypt for you.
如果您的 Gitlab 主机 Let´s Encrypt 服务器无法从外部访问,那么整个过程会更加困难!然后,您将离开让 Gitlab Omnibus 为您完成繁重工作的自动方式.您现在肯定需要自己获取 Let´s Encrypt 证书! 有一些方法可以获取 Let´s Encrypt 证书,而无需外部可访问的服务器.
If your Gitlab host is not externally accessible by the Let´s Encrypt servers, the whole process is much harder! You´ll then leave the nice automatic way of letting Gitlab Omnibus do the heavy lifting for you. You definitely need to fetch the Let´s Encrypt certificates on your own now! There are some ways to fetch Let´s Encrypt certificates without the need for an externally accessible server.
我选择并推荐使用替代的 Let´s Encrypt 客户端 dehydrad 和dns-lexicon 与 Let´s Encrypt 一起完全自动化获取证书的过程dns-challenge
,它是在 2016 年某处引入的.这是唯一的方法,您不需要外部可访问的服务器 - 但您再次需要拥有"某个域像 gitlab.yoursite.com
AND 您需要对托管您的域的 DNS 提供商的 API 访问权限(这里是 在这种情况下支持的 DNS 提供商列表).
The one I choose and would recommend is to use the alternative Let´s Encrypt client dehydrated together with the dns-lexicon to fully automate the process of obtaining the certificates together with the Let´s Encrypt dns-challenge
, which was introduced somewhere in 2016. This is the only way, where you don´t need an externally accessible server - but you again need to "own" a certain domain like gitlab.yoursite.com
AND you need API access to the DNS provider, which hosts your domain (here´s a list of supported DNS providers in that case).
由于整个过程相当复杂,我创建了一个完全可理解的 Ansible 剧本prepare-gitlab.yml 使用 Omnibus 安装 Gitlab 的每一步都被处理给你(完整的 GitHub 源代码在这里:https://github.com/jonashackt/gitlab-ci-堆栈).
As the whole process is quite complex I created a fully comprehensible Ansible playbook prepare-gitlab.yml where every step of the Gitlab installation with Omnibus is handled for you (full GitHub sources are available here: https://github.com/jonashackt/gitlab-ci-stack).
如果您只想创建 Let´s Encrypt 证书,请查看 obtain-letsencrypt-certs-dehydrad-lexicon.yml - 即使你不想使用 Ansible,你也可以在控制台上手动重现每一步或使用其他自动化工具,如 Chef 或 Saltstack(尽管我个人不能推荐).另一种方法是查看词典专家的这篇精彩博文:https://blog.thesparktree.com/generating-intranet-and-private-network-ssl,从这些描述的步骤中,我基本上开发了剧本.
If you only want to create the Let´s Encrypt certificates, have a look into obtain-letsencrypt-certs-dehydrated-lexicon.yml - even if you don´t want to use Ansible, you can also manually reproduce every step on the console or use another automation tool like Chef or Saltstack (although I can´t recommend that personally). Another way would be to have a look onto this great blogpost from the lexicon guys: https://blog.thesparktree.com/generating-intranet-and-private-network-ssl, from those described steps I basically developed the playbook from.
无论您选择哪种方式,都不要忘记复制手动(或自动)从
Either way you choose, don´t forget to copy the manually (or automatically) fetched Let´s Encrypt certificates from
/srv/dehydrad/certs/{{ gitlab_domain }}/fullchain.pem
到
/etc/gitlab/ssl/{{ gitlab_domain }}.crt
和
/srv/dehydrad/certs/{{ gitlab_domain }}/privkey.pem
到
/etc/gitlab/ssl/{{ gitlab_domain }}.key
Gitlab 会自动为您从那里提取它们,如 手动配置HTTPS的方式
Gitlab will pick them up from there automatically for you, as the docs state in the way to manually configure HTTPS
这篇关于如何使用 gitlab 加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!