こちらで設定したローカル環境の Gitlab を SSL に対応させる備忘録です.ちょっとした事情があって,UCサーバー証明書で発行してみます.
まず,UCサーバー証明書を発行できるよう openssl.cnf を編集します.書き換え,追記する部分は [ req ], [ v3_req ], [alt_names] の部分.alt_names に別名を設定します.
$ cd /etc/pki/tls $ sudo vi cp openssl.cnf openssl.cnf.orig $ sudo vi openssl.cnf [ req ] req_extensions = v3_req # The extensions to add to a certificate request [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = www1.example.com DNS.2 = www2.example.com
サーバーの秘密鍵 (gitlabsv.key) と証明書要求 (gitlab.csr) を発行します.
$ openssl genrsa 2048 > gitlab.key Generating RSA private key, 2048 bit long modulus ..........+++ ............................................................................................................................................+++ e is 65537 (0x10001) $ openssl req -new -key gitlab.key > gitlab.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:**** Locality Name (eg, city) [Default City]:**** Organization Name (eg, company) [Default Company Ltd]:**** Organizational Unit Name (eg, section) []:labohyt Common Name (eg, your name or your server's hostname) []:gitlab.local Email Address []:**** Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
証明書要求を適当な証明局に送り,証明書(gitlab.crt)を作成して,秘密鍵といっしょに適当な場所に配置します.
$ sudo mkdir /etc/gitlab/ssl $ sudo mv gitlab.key /etc/gitlab/ssl/gitlab.key $ sudo mv gitlab.crt /etc/gitlab/ssl/gitlab.crt $ cd /etc/gitlab/ssl/ $ sudo chmod 400 gitlab* $ sudo chown root.root gitlab*
gitlab の設定ファイルを書き換えます.書き換える部分は3か所.
$ sudo vi /etc/gitlab/gitlab.rb external_url 'https://gitlab.*****.local' nginx['ssl_certificate'] = "/etc/gitlab/ssl/server.crt" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/server.key"
設定ファイルを reconfigure して gitlab のサービスを再起動して終わりです.
$ sudo gitlab-ctl reconfigure $ gitlab-ctl restart
なお,git のクライアントで
SSL certificate problem: unable to get local issuer certificate
というエラーが出る場合は,
git config --global http.sslVerify false
と設定するか,openssl の証明局リストに署名元機関の証明書を追加してください.
