上个教程,是替换证书,没想到,两个月这么快过去了,又得换
上个文章:https://blog.csdn.net/qq_33317586/article/details/84854582
这次干脆把证书放到本机算了。
参考了这篇文章:https://async.sh/2016/12/10/use-acme-sh-add-https-support-to-gitlab/
但有些问题,下面实战:
按照教程生成证书会报错,看了配置文件还有查了资料,webroot目录确实是/opt/gitlab/embedded/service/gitlab-rails/public
但确实是报错,无响应什么的:
后面查看了这篇文档,说gitlab的nginx对这个.well-known做了跳转:
https://wiki.archlinux.org/index.php/Gitlab_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)
看了下gitlab的nginx配置文件,确实如此:
所以,生成证书目录应该对应:
root@xxxxx-gitlab1:~/.acme.sh# ./acme.sh --issue -d gitlab.x.xxxxx.com -w /var/www/letsencrypt
[Sat Feb 9 10:36:46 CST 2019] Creating domain key
[Sat Feb 9 10:36:46 CST 2019] The domain key is here: /root/.acme.sh/gitlab.x.xxxxx.com/gitlab.x.xxxxx.com.key
[Sat Feb 9 10:36:46 CST 2019] Single domain='gitlab.x.xxxxx.com'
[Sat Feb 9 10:36:46 CST 2019] Getting domain auth token for each domain
[Sat Feb 9 10:36:46 CST 2019] Getting webroot for domain='gitlab.x.xxxxx.com'
[Sat Feb 9 10:36:46 CST 2019] Getting new-authz for domain='gitlab.x.xxxxx.com'
[Sat Feb 9 10:36:50 CST 2019] The new-authz request is ok.
[Sat Feb 9 10:36:51 CST 2019] Verifying:gitlab.x.xxxxx.com
[Sat Feb 9 10:36:57 CST 2019] Success
[Sat Feb 9 10:36:57 CST 2019] Verify finished, start to sign.
[Sat Feb 9 10:37:00 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
废话
-----END CERTIFICATE-----
[Sat Feb 9 10:37:00 CST 2019] Your cert is in /root/.acme.sh/gitlab.x.xxxxx.com/gitlab.x.xxxxx.com.cer
[Sat Feb 9 10:37:00 CST 2019] Your cert key is in /root/.acme.sh/gitlab.x.xxxxx.com/gitlab.x.xxxxx.com.key
[Sat Feb 9 10:37:02 CST 2019] The intermediate CA cert is in /root/.acme.sh/gitlab.x.xxxxx.com/ca.cer
[Sat Feb 9 10:37:02 CST 2019] And the full chain certs is there: /root/.acme.sh/gitlab.x.xxxxx.com/fullchain.cer
然后安装证书:
证书的位置在/etc/gitlab/gitlab.rb中进行设置
这个重启nginx的命令要注意是gitlab-ctl restart nginx
下一次续签就简单了:
#acme.sh --renew -d gitlab.x.xxxxx.com --force
#acme.sh --install-cert \
-d gitlab.x.xxxxx.com \
--key-file /etc/letsencrypt/live/gitlab.x.xxxxx.com/privkey.pem \
--fullchain-file /etc/letsencrypt/live/gitlab.x.xxxxx.com/fullchain.pem \
--reloadcmd "gitlab-ctl restart nginx"