LoginSignup
2
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@kenji-toforone(toforone kenji)

GitLabCi、GitLabCi RegistryのSSL化(Let's Encrypt)

Posted at

業務でGitLabCiを使うのにSSL化したいが、オレオレ証明書はGitLabCi Registryで使えない模様
ならLet's Encryptでやっちゃおう!

前提

  • GitLabCiがインストールされている
  • OSはCentOS系
  • ドメインは xxxxxx.xxxxxx.jp

Let's Encryptの設定ツール(certbot-auto)のインストール

sudo yum install epel-release
cd /usr/local/bin
sudo wget https://dl.eff.org/certbot-auto 
sudo chmod a+x certbot-auto

Let's Encryptで証明書を取らないでオレオレ証明書でやるとgitlab-ci-multi-runnerの登録と、GitLabCi RegistryでのDocker login pushで問題が出ます

GitLabCi本体のサーバ証明書作成

cd /usr/local/bin
./certbot-auto certonly -a standalone -d xxxxxx.xxxxxx.jp

GitLabCi Registry[DockerImage]のサーバ証明書作成

cd /usr/local/bin
./certbot-auto certonly -a standalone -d registry.xxxxxx.xxxxxx.jp

GitLabCiの設定を変更

/etc/gitlab/gitlab.rb
## GitLab URL
## ! URL on which GitLab will be reachable.
## ! For more details on configuring external_url see:
## ! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
external_url 'https://xxxxxx.xxxxxx.jp'

~

gitlab_rails['time_zone'] = 'Asia/Tokyo' 

~
## ! if ssl_verify_client on, verification depth in the client certificates chain
# nginx['ssl_verify_depth'] = "1"

nginx['ssl_certificate'] = "/etc/letsencrypt/live/xxxxxx.xxxxxx.jp/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/xxxxxx.xxxxxx.jp/privkey.pem"

~

################################################################################
## Container Registry settings
## ! Docs: https://docs.gitlab.com/ce/administration/container_registry.html
################################################################################      
registry_external_url "https://registry.xxxxxx.xxxxxx.jp"      

~
   
################################################################################
## Registry NGINX
################################################################################
registry_nginx['enable'] = true
registry_nginx['redirect_http_to_https'] = true
registry_nginx['redirect_http_to_https_port'] = 80
registry_nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
registry_nginx['ssl_prefer_server_ciphers'] = "on"
registry_nginx['ssl_certificate'] = "/etc/letsencrypt/live/registry.xxxxxx.xxxxxx.jp/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/registry.xxxxxx.xxxxxx.jp/privkey.pem"

編集したら、再構成、再起動

sudo gitlab-ctl reconfigure 
sudo gitlab-ctl restart

SSL化完了

GitLabCi へ アクセス

ブラウザから

https://xxxxxx.xxxxxx.jp

GitLabCi Registry へ DockerImageを登録するケース

クライアントから

docker login registry.xxxxxx.xxxxxx.jp
docker push registry.xxxxxx.xxxxxx.jp/{Groups}/{Projects}:{Tags}
2
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?