本文介绍了如何使用gitlab加密?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

当我偶然发现让我们加密时,我开始寻找ssl证书,我想将它与gitlab一起使用,但是事实是在raspberry pi 2上运行,并且现在运行得非常完美(因此我不想弄乱任何东西),他会去正确安装一个let加密ssl证书吗?PS:我的安装是综合

I started to look in to ssl certificates when I stumbled upon let's encrypt, and I wanted to use it with gitlab, however being that it is running on a raspberry pi 2 and its running quite perfectly now (so I dont want to mess anything up), he would I go about installing a lets encrypt ssl certificate properly?PS: My installation is omnibus

推荐答案

有两种方法,具体取决于您的基础架构设置(Raspi,大型云服务器或介于两者之间):

There are 2 ways depending on your infrastructure setup (Raspi, big Cloud server or something in between):

  1. 如果您有一个可外部访问的服务器(表示您可以从Let´s Encrypt服务器中调用您的Gitlab主机,这对于Let´s Encrypt的自动验证机制来说是必需的您拥有"一个特定的域,例如gitlab.yoursite.com和相应的DNS解析的服务器/主机)唯一需要的(从Gitlab版本10.7开始)是添加一个 s 转到/etc/gitlab/gitlab.rb中Gitlab URL配置中的 http (如已经提到的 marcolz ) :

  1. If you have an externally accessible Server (means your Gitlab host is callable from the Let´s Encrypt servers, which is needed for Let´s Encrypt´s automatic mechanism of verifying that you "own" a certain domain like gitlab.yoursite.com and the corresponding and DNS resolved server/host) the only thing needed (from Gitlab version 10.7 on) is to add an s to the http in your Gitlab URL configuration in /etc/gitlab/gitlab.rb (as marcolz already mentioned):

external_url 'https://gitlab.yoursite.com'

来自 https://中的文档docs.gitlab.com/omnibus/settings/ssl.html#let-39-s-encrypt-integration :

  1. 如果Let's Encrypt服务器无法从外部访问您的Gitlab主机,那么整个过程将变得更加困难!然后,您将留下让Gitlab Omnibus为您完成繁重工作的好方法. 您肯定需要立即自己获取Let's Encrypt证书!有一些方法无需外部访问服务器即可获取Let´s Encrypt证书.

  1. If your Gitlab host is not externally accessible by the Let´s Encrypt servers, the whole process is much harder! You´ll then leave the nice automatic way of letting Gitlab Omnibus do the heavy lifting for you. You definitely need to fetch the Let´s Encrypt certificates on your own now! There are some ways to fetch Let´s Encrypt certificates without the need for an externally accessible server.

我选择并建议的方法是使用替代的Let's Encrypt客户端脱水 dns-lexicon 来完全自动化获取证书以及Let's Encrypt dns-challenge的过程,它是在2016年某个地方引入的.这是唯一的方法,您不需要外部可访问的服务器-但您又需要拥有"某个域,例如gitlab.yoursite.com AND ,您需要对DNS提供商的API访问权,该DNS提供商托管您的域(此处受支持的列表DNS提供商).

The one I choose and would recommend is to use the alternative Let´s Encrypt client dehydrated together with the dns-lexicon to fully automate the process of obtaining the certificates together with the Let´s Encrypt dns-challenge, which was introduced somewhere in 2016. This is the only way, where you don´t need an externally accessible server - but you again need to "own" a certain domain like gitlab.yoursite.com AND you need API access to the DNS provider, which hosts your domain (here´s a list of supported DNS providers in that case).

由于整个过程非常复杂,因此我创建了一个完全可理解的 Ansible 剧本 prepare-gitlab.yml ,其中处理了使用Omnibus安装Gitlab的每一步为您服务(完整的GitHub资源可在此处找到: https://github.com/jonashackt/gitlab-ci -stack ).

As the whole process is quite complex I created a fully comprehensible Ansible playbook prepare-gitlab.yml where every step of the Gitlab installation with Omnibus is handled for you (full GitHub sources are available here: https://github.com/jonashackt/gitlab-ci-stack).

如果您只想创建Let's Encrypt证书,请查看获取-letsencrypt-certs-dehydrated-lexicon.yml -即使您不想使用Ansible,也可以在控制台上手动重现每个步骤或使用Chef或Saltstack之类的其他自动化工具(尽管我个人不建议这样做).另一种方法是看一下词典专家的这篇很棒的博客文章: https://blog.thesparktree.com/generating-intranet-and-private-network-ssl ,这些描述的步骤基本上是我从中开发剧本的.

If you only want to create the Let´s Encrypt certificates, have a look into obtain-letsencrypt-certs-dehydrated-lexicon.yml - even if you don´t want to use Ansible, you can also manually reproduce every step on the console or use another automation tool like Chef or Saltstack (although I can´t recommend that personally). Another way would be to have a look onto this great blogpost from the lexicon guys: https://blog.thesparktree.com/generating-intranet-and-private-network-ssl, from those described steps I basically developed the playbook from.

无论选择哪种方式,请不要忘记手动(或自动)复制从

Either way you choose, don´t forget to copy the manually (or automatically) fetched Let´s Encrypt certificates from

/srv/dehydrated/certs/{{ gitlab_domain }}/fullchain.pem

/etc/gitlab/ssl/{{ gitlab_domain }}.crt

/srv/dehydrated/certs/{{ gitlab_domain }}/privkey.pem

/etc/gitlab/ssl/{{ gitlab_domain }}.key

Gitlab会为您自动从那里获取它们,因为文档在手动配置HTTPS的方式

Gitlab will pick them up from there automatically for you, as the docs state in the way to manually configure HTTPS

这篇关于如何使用gitlab加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-06 04:29