gitlab-3 does not work properly with SSL
mspanc opened this issue · comments
I am trying to use gitlab 9.5.1-ce.0 (gitlab-3) on rancher 1.6.10 / docker 17.09 ce / ubuntu 16.04.
I have added a wildcard certificate such as *.mydomain.com and I am trying to deploy gitlab at git.mydomain.com.
It is stuck on "Initializing" when I set gitlab_omnipus_prefix to https://.
When I set this variable to http:// it works fine but then when I pass it through HTTPS rule in my load balancer it keeps showing http:// as repositories URLs and keeps loading insecure content (such as gravatars).
The logs from the container are the following:
==> /var/log/gitlab/nginx/error.log <==
2017/11/05 20:55:34 [emerg] 17547#0: BIO_new_file("/etc/gitlab/ssl/git.mydomain.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/git.mydomain.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
==> /var/log/gitlab/nginx/current <==
2017-11-05_20:55:34.40955 nginx: [emerg] BIO_new_file("/etc/gitlab/ssl/git.mydomain.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/git.mydomain.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
==> /var/log/gitlab/gitlab-monitor/current <==
2017-11-05_20:55:33.80028 127.0.0.1 - - [05/Nov/2017:20:55:33 UTC] "GET /sidekiq HTTP/1.1" 200 3799
2017-11-05_20:55:33.80030 - -> /sidekiq
==> /var/log/gitlab/nginx/error.log <==
2017/11/05 20:55:35 [emerg] 17549#0: BIO_new_file("/etc/gitlab/ssl/git.mydomain.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/git.mydomain.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
==> /var/log/gitlab/nginx/current <==
2017-11-05_20:55:35.50062 nginx: [emerg] BIO_new_file("/etc/gitlab/ssl/git.mydomain.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/git.mydomain.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
==> /var/log/gitlab/nginx/error.log <==
2017/11/05 20:55:36 [emerg] 17555#0: BIO_new_file("/etc/gitlab/ssl/git.mydomain.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/git.mydomain.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
==> /var/log/gitlab/nginx/current <==
2017-11-05_20:55:36.55980 nginx: [emerg] BIO_new_file("/etc/gitlab/ssl/git.mydomain.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/git.mydomain.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
==> /var/log/gitlab/gitlab-monitor/current <==
2017-11-05_20:55:35.88231 127.0.0.1 - - [05/Nov/2017:20:55:35 UTC] "GET /database HTTP/1.1" 200 44389
2017-11-05_20:55:35.88233 - -> /database
Indeed the mentioned file that is supposed to contain the certificate does not exist:
# docker exec -it 6b83327d55c8 bash
root@gitlab-gitlab-server-1:/# find /etc/gitlab/
/etc/gitlab/
/etc/gitlab/ssh_host_rsa_key
/etc/gitlab/ssh_host_ed25519_key
/etc/gitlab/gitlab-secrets.json
/etc/gitlab/ssh_host_ecdsa_key.pub
/etc/gitlab/trusted-certs
/etc/gitlab/ssh_host_rsa_key.pub
/etc/gitlab/ssh_host_ecdsa_key
/etc/gitlab/gitlab.rb
/etc/gitlab/ssh_host_ed25519_key.pub
According to the gitlab documentation the SSL key & cert should be manually copied but that undermines the whole process of setting this up in such automated environment as rancher.
There's a way to use https:// but leave terminating SSL to the load balancer as described here: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
Hi @mspanc ,
as you said, you need to copy certificates in order to make it work. Another option would be that you add you certificate to rancher and you could use it in a rancher load balancer.
E.g. take a look at artifactory entry, https://github.com/rancher/community-catalog/tree/master/templates/artifactory-oss/0