默认时, omnibus-gitlab没有启用https,假如我们要为test.gitlab.net域名启用https,那我们就需要为GitLab申请一个合法的证书,如果GitLab只是我们企业内部使用,完全可以自建一个CA,并为此GitLab颁发一个证书。
2.3.1、自建CA
root@test1:~# mkdir -pv /etc/ssl/demoCA/{private,newcerts}
mkdir: 已创建目录 "/etc/ssl/demoCA"
mkdir: 已创建目录 "/etc/ssl/demoCA/private"
mkdir: 已创建目录 "/etc/ssl/demoCA/newcerts"
root@test1:~# cd /etc/ssl
root@test1:/etc/ssl# (umask 077;openssl genrsa -out ./demoCA/private/cakey.pem 2048) #生成密钥
Generating RSA private key, 2048 bit long modulus
................................................................+++
......................+++
e is 65537 (0x10001)
root@test1:/etc/ssl# openssl req -new -x509 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 3650 #生成自签证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ChongQing
Locality Name (eg, city) []:YuBei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SJKJ
Organizational Unit Name (eg, section) []:Operation Services
Common Name (e.g. server FQDN or YOUR name) []:test.gitlab.net #这里是CA的域名,可以不与gitlab的相同
Email Address []:admin@admin.com
root@test1:/etc/ssl# touch ./demoCA/index.txt
root@test1:/etc/ssl# echo 01 > ./demoCA/serial
2.3.2、为gitlab申请证书、CA进行颁发
root@test1:~# ls /etc/gitlab/
gitlab.rb gitlab.rb.bak gitlab-secrets.json
#gitlab会在"/etc/gitlab/ssl"目录去寻找密钥文件和证书文件,并且证书文件和密钥文件名应与访问gitlab的域名相同,我们这里就是"test.gitlab.net"
root@test1:~# mkdir -p /etc/gitlab/ssl #此目录路径不能随意更改
root@test1:~# cd /etc/gitlab/ssl
root@test1:/etc/gitlab/ssl# (umask 077;openssl genrsa -out test.gitlab.net.key 1024)
Generating RSA private key, 1024 bit long modulus
.....................++++++
.................................++++++
e is 65537 (0x10001)
root@test1:/etc/gitlab/ssl# ls
test.gitlab.net.key
root@test1:/etc/gitlab/ssl# openssl req -new -x509 -key test.gitlab.net.key -out test.gitlab.net.csr #生成证书签署请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ChongQing
Locality Name (eg, city) []:YuBei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SJKJ
Organizational Unit Name (eg, section) []:Operation Services
Common Name (e.g. server FQDN or YOUR name) []:test.gitlab.net
Email Address []:test@admin.com
A challenge password []: #回车
An optional company name []: #回车
root@test1:/etc/gitlab/ssl# ls
test.gitlab.net.csr test.gitlab.net.key
root@test1:/etc/gitlab/ssl# openssl ca -in test.gitlab.net.csr -out test.gitlab.net.crt -days 3650 #CA签署证书
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
140185766790800:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r')
140185766790800:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load CA private key