作者 主題: [git] add Let's Encrypt SSL Cert to gitlab on CentOS7, with auto-renew  (閱讀 4989 次)

0 會員 與 1 訪客 正在閱讀本文。

netman

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 17484
    • 檢視個人資料
    • http://www.study-area.org
Ref:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

Purpose: to add Let's Encrypt SSL Cert to gitlab, with auto-renew.

Steps:

sudo su -
gitlab-ctl stop
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt/
./letsencrypt-auto certonly --standalone
cp /etc/letsencrypt/archive/gitlab.example.com/fullchain1.pem /etc/pki/ca-trust/source/anchors/
cp /etc/letsencrypt/archive/gitlab.example.com/chain1.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust
mkdir -p /etc/gitlab/ssl
cp /etc/letsencrypt/archive/gitlab.example.com/chain1.pem /etc/gitlab/ssl/ca.crt
cp /etc/letsencrypt/archive/gitlab.example.com/fullchain1.pem /etc/gitlab/ssl/gitlab.example.com.crt
cp /etc/letsencrypt/archive/gitlab.example.com/privkey1.pem /etc/gitlab/ssl/gitlab.example.com.key
chmod 600 /etc/gitlab/ssl/gitlab.example.com.key
vim /etc/gitlab/gitlab.rb
代碼: [選擇]
external_url 'https://gitlab.example.com'
...
nginx['redirect_http_to_https'] = true
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.example.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
...
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {\n allow all;\n}\n"
...
gitlab-ctl start
gitlab-ctl reconfigure # to make sure everything is OK
gitlab-ctl restart
cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
vim /usr/local/etc/le-renew-webroot.ini
代碼: [選擇]
rsa-key-size = 4096
email = root@example.com
domains = gitlab.example.com
webroot-path = /opt/gitlab/embedded/service/gitlab-rails/public
cd /opt/letsencrypt/
./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini # to make sure it works fine!
curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
vim /usr/local/sbin/le-renew-webroot
代碼: [選擇]
#!/bin/bash

date

web_service='nginx'
config_file="/usr/local/etc/le-renew-webroot.ini"
...
chmod +x /usr/local/sbin/le-renew-webroot
le-renew-webroot # to make sure the result is as expected
vim /etc/cron.d/le-renew-webroot
代碼: [選擇]
30 2 * * 1 root /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log
« 上次編輯: 2016-02-06 00:37 由 netman »