docker部署gitlab时配置内网https

一、生成自签证书

创建配置文件openssl.conf

[req]distinguished_name = req_distinguished_namereq_extensions = v5_req[req_distinguished_name]countryName = Country Name (2 letter code)countryName_default = CN #国家stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = BEIJINGlocalityName = Locality Name (eg, city)localityName_default = BEIJINGorganizationalUnitName  = Organizational Unit Name (eg, section)organizationalUnitName_default  = MYORGcommonName = TEST  #此处修改域名或者ipcommonName_max  = 64emailAddress = test@163.com [v5_req]# Extensions to add to a certificate requestbasicConstraints = CA:FALSEsubjectAltName = @alt_names[alt_names]#此处增加域名和ip，使用https服务器的局域网ip即可，ip可以配置多个，只要一个自行删除IP.1 = 192.168.0.11IP.2 = 127.0.0.1

生成证书

openssl genrsa -out server.key 2048openssl req -new -out server.csr -key server.key -config openssl.confopenssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extensions v5_req -extfile openssl.confopenssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "server"

# 在网上找到个shell脚本生成证书文件,不过本人写文章时看到的，所以没有尝试。#!/bin/sh # create self-signed server certificate: read -p "Enter your hostname or IP : " DOMAIN echo "Create server key..." openssl genrsa -des3 -out $DOMAIN.key 1024 echo "Create server certificate signing request..." SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN" openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr echo "Remove password..." mv $DOMAIN.key $DOMAIN.origin.key openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key echo "Sign SSL certificate..." openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt echo "TODO:" echo "Copy $DOMAIN.crt to /home/data/Gitlab/config/ssl/$DOMAIN.crt" echo "Copy $DOMAIN.key to /home/data/Gitlab/config/ssl/$DOMAIN.key" echo "Add nginx configuration in /home/data/Gitlab/config/gitlab.rb"# sh 执行脚本# 第一步要求输入域名或IP地址# 第二步要求输入密码，至少四位# 后面会要求确认输入密码

关于server.p12文件使用参考：https://blog.csdn.net/z2926781/article/details/119675720，这里下面没有使用该文件。

二、修改配置文件

# 创建ssl目录，将server.crt,server.key放进去cd /etc/gitlabmkdir sslmv /opt/server.crt /etc/gitlab/ssl/mv /opt/server.key /etc/gitlab/ssl/

修改gitlab.rb文件
vim /etc/gitlab/gitlab.rb

external_url 'https://192.168.0.11:5443'nginx['ssl_certificate'] = "/etc/gitlab/ssl/server.crt"nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/server.key"# 下面为http跳转https配置，不需要可以不加nginx['redirect_http_to_https'] = truenginx['redirect_http_to_https_port'] = 80nginx['listen_port'] = 443 #docker部署，容器内端口

gitlab-ctl reconfigure重启生效

三、遇到问题

1、浏览器访问显示不安全

将server.crt文件取出，双击一直下一步即可

2、git clone时出现setting certificate verify locations:

两种解决办法：
第一种：指定验证证书

git config --system http.sslcainfo "E:\server.crt"

第二种：取消证书验证

git config --system http.sslverify false

本以为终于解决时，却发现在使用jenkins拉取gitlab的代码时，又出现了该报错。如果jenkins部署在裸机上可以通过上述方法解决。但是因为jenkins跑在docker上，所以需要修改一下jenkins关于git的配置文件：

vim /etc/gitconfig[http] sslVerify = false 

gitconfig文件不一定在哪，裸机部署的好像存放在~/.gitcofnig,这个需要找一下。好了问题到此结束，恭喜终于成功啦