So I’m trying to set up GitLab with HTTPS on my server. Sounds simple right?
Well…
I’m kind of using a self signed certificate. And not necessarily just a self signed certificate either. I have a root certificate installed on my system (running Ubuntu 15.04, both in the /etc/ssl/certs folder and in the ca-certificates.crt file in /etc/ssl/certs. I have an intermediate certificate and a server certificate that I’m using for HTTPS on my server. However, I can’t seem to get OAUTH to work from GitLab CI. After I press authorize from my GitLab account on my server, I get a 500 error that says “We’re sorry, something went wrong.” In the logs, I get this error:
I can’t seem to figure out what is causing this issue. I’m running a certificate chain for the webserver, I get an A on the Qualys SSLLabs Test, the SSL Doctor Ruby application that I’ve been seeing in my search for a solution finds no problems with my certificate chain. At this point, I’m completely clueless as to what may be causing this error. Can anybody help me sort this out?
root@server:~/certs# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
...........................................+++
e is 65537 (0x10001)
root@server:~/certs#
generate a Certificate Signing Request
root@server:~/certs# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: CU
State or Province Name (full name) [Some-State]:Cuba
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Home Lan
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.edu.cu
Email Address []:
Please enter the following `extra` attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
create a Self-Signed Certificate
root@server:~/certs# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CU/ST=Cuba/O=Home Lan/CN=*.edu.cu
Getting Private key
Enter pass phrase for server.key:
root@server:~/certs#
these files you must copy it to the directory /etc/gitlab/ssl/ with the name of your host; for example, if my gitlab is hosted in gitlab.edu.cu would be like this: /etc/gitlab/ssl/gitlab.edu.cu.key and /etc/gitlab/ssl/gitlab.edu.cu.crt
Thank you for your detailed explanation. So i would like to know if this description has to be extended to create self-signed-certificate for a container installation. I guess, the openssl calls need to be done insise the container, am i right ?
I am using podman kube:
apiVersion: v1
kind: Pod
metadata:
labels:
app: gitlab
name: gitlab
spec:
containers:
- name: gitlab
image: gitlab/gitlab-ce:latest
# run container as root so that the directories created will have the same uid as running user in host
securityContext:
runAsUser: 0
runAsGroup: 0
ports:
- containerPort: 80
hostPort: 8080
- containerPort: 443
hostPort: 8443
- containerPort: 22
hostPort: 2222
volumeMounts:
- mountPath: /etc/gitlab:Z
name: gitlab_config
- mountPath: /var/log/gitlab:Z
name: gitlab_logs
- mountPath: /var/opt/gitlab:Z
name: gitlab_data
volumes:
- name: gitlab_config
hostPath:
path: gitlab/gitlab/config
type: Directory
- name: gitlab_logs
hostPath:
path: gitlab/gitlab/logs
type: Directory
- name: gitlab_data
hostPath:
path: gitlab/gitlab/data
type: Directory
and i guess that i have to run the openssl call inside the container, am i right?