{"id":1102,"date":"2023-02-13T17:56:34","date_gmt":"2023-02-13T16:56:34","guid":{"rendered":"http:\/\/192.168.1.213:8088\/?p=1102"},"modified":"2023-10-13T05:40:12","modified_gmt":"2023-10-13T04:40:12","slug":"gitlab-server-with-a-self-signed-certificate-and-embedded-docker-registry","status":"publish","type":"post","link":"http:\/\/192.168.1.213:8088\/gitlab-server-with-a-self-signed-certificate-and-embedded-docker-registry\/","title":{"rendered":"GitLab server with a self-signed certificate and embedded docker registry \ud83d\udd10"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"1102\" class=\"elementor elementor-1102\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-aa75caa elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"aa75caa\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-90151f3\" data-id=\"90151f3\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-16024d5 elementor-toc--minimized-on-tablet elementor-widget elementor-widget-table-of-contents\" data-id=\"16024d5\" data-element_type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h5&quot;,&quot;h6&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;marker_view&quot;:&quot;bullets&quot;,&quot;icon&quot;:{&quot;value&quot;:&quot;fas fa-circle&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;minimize_box&quot;:&quot;yes&quot;,&quot;minimized_on&quot;:&quot;tablet&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-toc__header\">\n\t\t\t<h3 class=\"elementor-toc__header-title\">\n\t\t\t\tTable of Contents\t\t\t<\/h3>\n\t\t\t\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--expand\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__16024d5\" aria-expanded=\"true\" aria-label=\"Open table of contents\"><i aria-hidden=\"true\" class=\"fas fa-chevron-down\"><\/i><\/div>\n\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--collapse\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__16024d5\" aria-expanded=\"true\" aria-label=\"Close table of contents\"><i aria-hidden=\"true\" class=\"fas fa-chevron-up\"><\/i><\/div>\n\t\t\t\t\t<\/div>\n\t\t<div id=\"elementor-toc__16024d5\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e2f890c elementor-widget elementor-widget-heading\" data-id=\"e2f890c\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h5 class=\"elementor-heading-title elementor-size-default\">Introduction<\/h5>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-460a834 elementor-widget elementor-widget-text-editor\" data-id=\"460a834\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>I needed to set up a GitLab server in a lab some weeks ago. At first, I didn&#8217;t feel the need of using a certificate to secure the connectivity but when I started to use the embedded Docker registry, I wasn&#8217;t able to get it working. A Docker registry is using SSL certificates by default.<\/p><p>I thought it can&#8217;t be that complicated to create a self-signed certificate but then the fun started &#8230; I couldn&#8217;t really find good documentation and I somehow needed to use a trial &amp; error approach to solve it.\u00a0<\/p><p>If you are thinking of using a GitLab server with your own self-signed certificates, then this is the right article for you and it will save you a lot of time.\u00a0<\/p><p>My server is based on Ubuntu 22.04 with GitLab CE 15.8.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ef0c7b7 elementor-widget elementor-widget-heading\" data-id=\"ef0c7b7\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h5 class=\"elementor-heading-title elementor-size-default\">Generate the certificates<\/h5>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-562540f elementor-widget elementor-widget-text-editor\" data-id=\"562540f\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>You need to generate:<\/p><ul><li>CA (Certificate Authority)<\/li><li>Server certificate<\/li><\/ul><p><br \/>You will need to have the tool &#8220;certtool&#8221;, which is one way to generate the certificates.\u00a0<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-506bdb7 elementor-widget elementor-widget-text-editor\" data-id=\"506bdb7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Create a new directory in the GitLab folder where the certificates get stored and create a file for the default values in the certificate. We need to have a SAN (Subject Alternative Name). In my case, I will use the IP address.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9596514 elementor-widget elementor-widget-code-highlight\" data-id=\"9596514\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>sudo mkdir \/etc\/gitlab\/ssl\/\ncd \/etc\/gitlab\/ssl\n\nsudo touch server-certificate.template\nip_address = \"10.122.49.112\"\nexpiration_days = 360<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4a3deed elementor-widget elementor-widget-code-highlight\" data-id=\"4a3deed\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo apt-get install gnutls-bin\n$ sudo certtool --generate-privkey --outfile ca.key\nGenerating a 3072 bit RSA private key...<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ad87033 elementor-widget elementor-widget-text-editor\" data-id=\"ad87033\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Please see the highlighted lines in the following output:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d75786 elementor-widget elementor-widget-code-highlight\" data-id=\"1d75786\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"20,24,29,31,39,96\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo certtool --generate-self-signed --load-privkey ca.key --outfile ca.crt \nGenerating a self signed certificate...\nPlease enter the details of the certificate's distinguished name. Just press enter to ignore a field.\nCountry name (2 chars): DE\nState or province name: NRW\nLocality name: \nOrganization name: \nOrganizational unit name: \nCommon name: \nUID: \nEnter the subject's domain component (DC): \nThis field should not be used in new certificates.\nE-mail: \nEnter the certificate's serial number in decimal (123) or hex (0xabcd)\n(default is 0x2234344dda861e09c405946fd218a39dda7cf0cd)\nvalue: \n\n\nActivation\/Expiration time.\nThe certificate will expire in (days): 3650\n\n\nExtensions.\nDoes the certificate belong to an authority? (y\/N): y\nPath length constraint (decimal, -1 for no constraint): \nIs this a TLS web client certificate? (y\/N): \nWill the certificate be used for IPsec IKE operations? (y\/N): \nIs this a TLS web server certificate? (y\/N): \nEnter a dnsName of the subject of the certificate: some-domain.tld\nEnter a URI of the subject of the certificate: \nEnter the IP address of the subject of the certificate: xxx.xxx.xxx.xxx\nEnter the e-mail of the subject of the certificate: \nWill the certificate be used for signing (required for TLS)? (Y\/n): \nWill the certificate be used for data encryption? (y\/N): \nWill the certificate be used to sign OCSP requests? (y\/N): \nWill the certificate be used to sign code? (y\/N): \nWill the certificate be used for time stamping? (y\/N): \nWill the certificate be used for email protection? (y\/N): \nWill the certificate be used to sign other certificates? (Y\/n): y\nWill the certificate be used to sign CRLs? (y\/N): \nEnter the URI of the CRL distribution point: \nX.509 Certificate Information:\n\tVersion: 3\n\tSerial Number (hex): 2234344dda861e09c405946fd218a39dda7cf0cd\n\tValidity:\n\t\tNot Before: Sun Feb 12 16:38:09 UTC 2023\n\t\tNot After: Wed Feb 09 16:38:12 UTC 2033\n\tSubject: ST=NRW,C=DE\n\tSubject Public Key Algorithm: RSA\n\tAlgorithm Security Level: High (3072 bits)\n\t\tModulus (bits 3072):\n\t\t\t00:dc:a5:8b:c1:ec:55:15:d1:90:e9:50:b8:b6:9b:b1\n\t\t\t7d:c1:f0:a1:a4:a5:73:f8:26:a3:99:fd:0c:92:89:3e\n\t\t\td0:0c:da:9d:a1:23:e5:fa:48:89:f0:0b:45:02:bb:9c\n\t\t\t5e:d9:58:8c:93:e1:05:47:40:d2:15:3f:b6:1c:b8:89\n\t\t\t1f:16:09:33:12:16:63:5a:a3:10:b1:f5:72:9a:1f:26\n\t\t\t62:b5:96:64:13:1f:59:b0:a4:76:ae:ff:82:df:32:c1\n\t\t\te4:f3:82:eb:66:ab:96:d2:4e:1c:5c:03:f5:ec:10:89\n\t\t\t64:0d:a1:b7:26:3c:34:db:73:e8:91:60:9c:87:b5:61\n\t\t\t15:b3:c8:c0:c4:d0:cf:bb:12:c5:67:90:fa:e2:a2:a1\n\t\t\t0a:fd:35:94:88:f9:25:d9:09:fd:30:6a:b6:33:67:04\n\t\t\ta5:f4:5d:98:a2:a9:3f:bb:c7:b6:ef:da:40:19:42:98\n\t\t\t4c:af:e4:fb:e7:a8:b2:07:59:65:f7:83:35:ea:0f:31\n\t\t\t1b:1a:5f:02:eb:93:6b:ba:5f:8a:85:1e:67:ee:ea:71\n\t\t\t7c:ec:c3:4f:2d:3e:4c:d9:97:54:f0:60:f8:24:c9:c7\n\t\t\t6a:f0:80:5e:ab:97:6a:a2:76:06:cd:28:13:42:da:c7\n\t\t\t35:87:35:27:ce:42:ba:47:da:c8:80:8f:43:7c:63:78\n\t\t\t0e:6b:fc:38:82:d3:3c:23:0a:3a:12:d8:65:19:15:c7\n\t\t\t1f:f0:4b:8d:1e:d2:5a:19:26:cb:ab:80:d2:80:13:35\n\t\t\t1b:bb:ff:f9:39:06:96:41:58:be:c8:eb:bc:68:04:95\n\t\t\t73:75:06:9e:1b:a7:4c:65:9c:c9:a3:49:cc:ed:13:a9\n\t\t\t5e:ef:5e:f2:0b:21:01:5d:19:42:11:f7:63:eb:ba:b9\n\t\t\t90:d8:04:f5:60:35:dc:73:47:89:26:c2:af:4f:7e:f0\n\t\t\tb6:a4:56:7e:45:46:a8:87:e1:c5:72:2d:e9:ca:bf:6b\n\t\t\t61:ff:d0:48:b7:27:e5:20:e3:62:b0:17:7d:a6:0a:c4\n\t\t\t4d\n\t\tExponent (bits 24):\n\t\t\t01:00:01\n\tExtensions:\n\t\tBasic Constraints (critical):\n\t\t\tCertificate Authority (CA): TRUE\n\t\tSubject Alternative Name (not critical):\n\t\t\tIPAddress: 10.122.49.112\n\t\tKey Usage (critical):\n\t\t\tDigital signature.\n\t\t\tCertificate signing.\n\t\tSubject Key Identifier (not critical):\n\t\t\t70985171457644ab6ec558d2fe0e40ba48ac729b\nOther Information:\n\tPublic Key ID:\n\t\tsha1:70985171457644ab6ec558d2fe0e40ba48ac729b\n\t\tsha256:21b2bea7ba18f8a5855d463bba0ee1dc459117f96bf5a54527000be9e50f9d12\n\tPublic Key PIN:\n\t\tpin-sha256:IbK+p7oY+KWFXUY7ug7h3EWRF\/lr9aVFJwAL6eUPnRI=\n\nIs the above information ok? (y\/N): y\n\n\nSigning certificate...<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1466220 elementor-widget elementor-widget-text-editor\" data-id=\"1466220\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Great, you created your own CA now! Let&#8217;s continue with the server certificate.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-89da627 elementor-widget elementor-widget-code-highlight\" data-id=\"89da627\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo certtool --generate-privkey --outfile 10.122.49.112.key<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-725d345 elementor-widget elementor-widget-code-highlight\" data-id=\"725d345\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo certtool --generate-request --load-privkey 10.122.49.112.key --outfile request.pem<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-68fa144 elementor-widget elementor-widget-code-highlight\" data-id=\"68fa144\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"13,16,24-25\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ certtool --generate-request --load-privkey 10.122.49.112.key --outfile request.pem\nGenerating a PKCS #10 certificate request...\nCountry name (2 chars): DE\nState or province name: NRW\nLocality name: \nOrganization name: \nOrganizational unit name: \nCommon name: \nUID: \nEnter the subject's domain component (DC): \nEnter a dnsName of the subject of the certificate: \nEnter a URI of the subject of the certificate: \nEnter the IP address of the subject of the certificate: 10.122.49.112\nEnter the e-mail of the subject of the certificate: \nEnter a challenge password: \nDoes the certificate belong to an authority? (y\/N): N\nWill the certificate be used for signing (DHE ciphersuites)? (Y\/n): \nWill the certificate be used for encryption (RSA ciphersuites)? (Y\/n): \nWill the certificate be used to sign code? (y\/N): \nWill the certificate be used for time stamping? (y\/N): \nWill the certificate be used for email protection? (y\/N): \nWill the certificate be used for IPsec IKE operations? (y\/N): \nWill the certificate be used to sign OCSP requests? (y\/N): \nIs this a TLS web client certificate? (y\/N): y\nIs this a TLS web server certificate? (y\/N): y<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6a896d7 elementor-widget elementor-widget-code-highlight\" data-id=\"6a896d7\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>$ sudo certtool --generate-certificate --load-request request.pem --outfile 10.122.49.112.crt --load-ca-certificate ca.crt --load-ca-privkey ca.key  --template server-certificate.template\nGenerating a signed certificate...\nX.509 Certificate Information:\n\tVersion: 3\n\tSerial Number (hex): 5c9a31fa79b3996121150525897904bfd547e078\n\tValidity:\n\t\tNot Before: Mon Feb 13 12:49:54 UTC 2023\n\t\tNot After: Thu Feb 08 12:49:54 UTC 2024\n\tSubject: ST=NRW,C=DE\n\tSubject Public Key Algorithm: RSA\n\tAlgorithm Security Level: High (3072 bits)\n\t\tModulus (bits 3072):\n\t\t\t00:9f:db:9b:33:f9:65:6c:2a:15:c3:f4:cd:15:07:c5\n\t\t\t71:47:9c:24:36:74:7d:84:40:72:53:e5:2f:64:7c:96\n\t\t\te0:1f:a2:e8:d8:f2:aa:5f:00:6b:e6:65:2d:9b:94:28\n\t\t\td1:1b:9c:cb:8b:d1:39:f3:00:52:b1:14:21:5d:15:aa\n\t\t\t71:37:20:38:90:d0:95:c5:80:67:9c:2a:db:81:f7:dc\n\t\t\t65:b4:97:8f:6d:b5:02:26:7d:a1:55:c2:da:82:7a:e0\n\t\t\ted:cb:1c:e6:98:86:2e:21:0d:fa:05:72:09:8d:09:37\n\t\t\t29:16:e1:74:53:a2:b3:38:3b:72:43:78:1d:8d:44:79\n\t\t\te8:2f:c1:fa:d6:c9:d7:ee:c6:12:34:87:a5:d3:cf:3e\n\t\t\teb:7a:a4:64:f6:3a:61:33:31:e5:42:d7:9a:93:bc:db\n\t\t\t4b:ca:85:a8:d3:f0:ad:70:f3:6a:46:45:97:53:ee:43\n\t\t\t14:d6:a8:e0:44:cf:f5:3d:fe:0e:97:fa:3f:39:5c:7f\n\t\t\t10:1b:ca:6c:89:d1:4a:e1:49:00:35:63:dd:10:65:68\n\t\t\tab:c2:af:a2:bd:de:a1:d8:23:cb:1c:99:35:6e:cf:2b\n\t\t\ta4:01:f1:22:39:ee:f8:25:8f:5c:41:87:49:03:5a:54\n\t\t\t18:09:ab:ab:bb:d8:af:2f:e1:e1:f8:75:a2:7f:69:1e\n\t\t\t3f:2b:b7:35:a5:97:a1:ab:ab:7f:7e:99:ed:9f:cc:57\n\t\t\taf:fd:ac:cb:d6:48:38:ed:ad:94:50:35:2a:ec:dc:5b\n\t\t\t7f:4c:3b:c1:fb:eb:8a:a9:50:57:0b:7b:51:3d:70:f8\n\t\t\t98:aa:56:30:55:3d:f0:8b:78:aa:b4:70:ca:ff:5c:96\n\t\t\tce:b0:af:a8:1e:5f:b1:7e:cc:9b:87:a3:0a:fb:fe:b8\n\t\t\td4:2b:fc:60:4a:04:aa:44:e8:17:3a:12:71:39:93:42\n\t\t\te9:24:2d:19:79:eb:49:54:53:ce:0e:a2:ac:bb:12:34\n\t\t\t26:71:d3:41:47:cc:03:62:ec:10:83:ba:d8:8a:b0:46\n\t\t\t3d\n\t\tExponent (bits 24):\n\t\t\t01:00:01\n\tExtensions:\n\t\tBasic Constraints (critical):\n\t\t\tCertificate Authority (CA): FALSE\n\t\tSubject Alternative Name (not critical):\n\t\t\tIPAddress: 10.122.49.112\n\t\tSubject Key Identifier (not critical):\n\t\t\te8ee53b50fbbd3f0886f826b46ac8e1569154471\n\t\tAuthority Key Identifier (not critical):\n\t\t\t70985171457644ab6ec558d2fe0e40ba48ac729b\nOther Information:\n\tPublic Key ID:\n\t\tsha1:e8ee53b50fbbd3f0886f826b46ac8e1569154471\n\t\tsha256:e9254cf51721ce8f201eeba7f6d941a5afd6f9a73f781fb2b8b964326af94a79\n\tPublic Key PIN:\n\t\tpin-sha256:6SVM9Rchzo8gHuun9tlBpa\/W+ac\/eB+yuLlkMmr5Snk=\n\nSigning certificate...<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d10096b elementor-widget elementor-widget-heading\" data-id=\"d10096b\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h5 class=\"elementor-heading-title elementor-size-default\">Change the GitLab server config<\/h5>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-08441b4 elementor-widget elementor-widget-text-editor\" data-id=\"08441b4\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Now you need to change the GitLab server config in order to use the new certificates. The GitLab server config is located in <strong>\/etc\/gitlab\/gitlab.rb\u00a0<\/strong>after applying the changes the GitLab server needs to be reconfigured and restarted.<\/p><p>Open the <strong>\/etc\/gitlab\/gitlab.rb\u00a0<\/strong>file and change the following lines:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d3c4026 elementor-widget elementor-widget-code-highlight\" data-id=\"d3c4026\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"3-5\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo vi \/etc\/gitlab\/gitlab.rb\n\n external_url 'https:\/\/10.122.49.112'\n nginx['ssl_certificate'] = \"\/etc\/gitlab\/ssl\/#{node['fqdn']}.crt\"\n nginx['ssl_certificate_key'] = \"\/etc\/gitlab\/ssl\/#{node['fqdn']}.key\"<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bdd0810 elementor-widget elementor-widget-text-editor\" data-id=\"bdd0810\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Now it makes more sense why you set the .key and .crt server certificate files to the IP address. In my lab, I do not have any DNS server that&#8217;s why I will access the server via the IP directly. The GitLab server is using the variable defined in the external URL <b>(#{node[&#8216;fqdn&#8217;]}.crt)<\/b>.\u00a0\u00a0<\/p><p>You can also define the filename manually but then you need to remove the variable definition &#8220;<b>#{node[&#8216;fqdn&#8217;]}.crt<\/b>&#8220;.<\/p><p>After the changes, save the config and reconfigure the server.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-230c753 elementor-widget elementor-widget-code-highlight\" data-id=\"230c753\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"13\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo gitlab-ctl reconfigure\n\n....\n....\n\n[2023-02-13T13:26:56+00:00] INFO: Cinc Client Run complete in 22.174210125 seconds\n\nRunning handlers:\n[2023-02-13T13:26:57+00:00] INFO: Running report handlers\nRunning handlers complete\n[2023-02-13T13:26:57+00:00] INFO: Report handlers complete\nInfra Phase complete, 4\/851 resources updated in 25 seconds\ngitlab Reconfigured!\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e182f8d elementor-widget elementor-widget-text-editor\" data-id=\"e182f8d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Validate the server status with the following command:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ebc3fc2 elementor-widget elementor-widget-code-highlight\" data-id=\"ebc3fc2\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo gitlab-ctl status | grep nginx\nrun: nginx: (pid 1380) 659379s; run: log: (pid 1369) 659379s<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-19c6446 elementor-widget elementor-widget-text-editor\" data-id=\"19c6446\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>See the documentation for more available gitlab-ctl commands:<br \/><a href=\"https:\/\/docs.gitlab.com\/omnibus\/maintenance\/\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.gitlab.com\/omnibus\/maintenance\/<\/a><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-26f1406 elementor-widget elementor-widget-heading\" data-id=\"26f1406\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h5 class=\"elementor-heading-title elementor-size-default\">Activate the Docker Registry<\/h5>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-df882c1 elementor-widget elementor-widget-text-editor\" data-id=\"df882c1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>As your certificates are in place, you can proceed and activate the Docker registry by changing the <strong>\/etc\/gitlab\/gitlab.rb <\/strong>again the reconfigure the GitLab server.<\/p><p>Of course, change the config according to your DNS or IP.\u00a0<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8546bde elementor-widget elementor-widget-code-highlight\" data-id=\"8546bde\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo vi \/etc\/gitlab\/gitlab.rb\n\n registry_external_url 'https:\/\/10.122.49.112:5050'\n registry_nginx['enable'] = true\n registry_nginx['listen_port'] = 5050<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7d06b77 elementor-widget elementor-widget-text-editor\" data-id=\"7d06b77\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Reconfigure the server and check the GitLab server status:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6b8a397 elementor-widget elementor-widget-code-highlight\" data-id=\"6b8a397\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"10-11\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$ sudo gitlab-ctl reconfigure\n\n....\n....\n\nRunning handlers:\n[2023-02-13T13:45:14+00:00] INFO: Running report handlers\nRunning handlers complete\n[2023-02-13T13:45:14+00:00] INFO: Report handlers complete\nInfra Phase complete, 1\/851 resources updated in 26 seconds\ngitlab Reconfigured!\n\n$ sudo gitlab-ctl status | grep 'nginx\\|registry'\n\nrun: nginx: (pid 1380) 660259s; run: log: (pid 1369) 660259s\nrun: registry: (pid 1399) 660259s; run: log: (pid 1384) 660259s<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8e53686 elementor-widget elementor-widget-text-editor\" data-id=\"8e53686\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Go to your GitLab UI and validate if the registry is available:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9c8a1d9 elementor-widget elementor-widget-image\" data-id=\"9c8a1d9\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"382\" src=\"http:\/\/192.168.1.213:8088\/wp-content\/uploads\/2023\/02\/gitlab-ssl-docker_001-1024x489.png\" class=\"attachment-large size-large wp-image-1134\" alt=\"\" srcset=\"http:\/\/192.168.1.213:8088\/wp-content\/uploads\/2023\/02\/gitlab-ssl-docker_001-1024x489.png 1024w, http:\/\/192.168.1.213:8088\/wp-content\/uploads\/2023\/02\/gitlab-ssl-docker_001-300x143.png 300w, http:\/\/192.168.1.213:8088\/wp-content\/uploads\/2023\/02\/gitlab-ssl-docker_001-768x367.png 768w, http:\/\/192.168.1.213:8088\/wp-content\/uploads\/2023\/02\/gitlab-ssl-docker_001-1536x733.png 1536w, http:\/\/192.168.1.213:8088\/wp-content\/uploads\/2023\/02\/gitlab-ssl-docker_001-2048x978.png 2048w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cb712b2 elementor-widget elementor-widget-heading\" data-id=\"cb712b2\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h5 class=\"elementor-heading-title elementor-size-default\">Let Docker accept your self-signed certificate<\/h5>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b10eb39 elementor-widget elementor-widget-text-editor\" data-id=\"b10eb39\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Per default, Docker will not accept your self-signed certificate. You need to create a folder with your CA in order to make Docker aware that your certificate is valid. For that reason, you create a folder of your trusted Docker registry and copy your CA into the folder.<\/p><p>If you will not copy the CA in the folder. You will receive the following error:<br \/><strong>Registry fails with x509 certificate signed by unknown authority\u00a0<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-24603fb elementor-widget elementor-widget-code-highlight\" data-id=\"24603fb\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>sudo mkdir -p \/etc\/docker\/certs.d\/10.122.49.112:5050\nsudo cp \/etc\/gitlab\/ssl\/ca.crt \/etc\/docker\/certs.d\/10.122.49.112:5050\/<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0c72e95 elementor-widget elementor-widget-heading\" data-id=\"0c72e95\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h5 class=\"elementor-heading-title elementor-size-default\">Let GitLab runners accept your self-signed certificate<\/h5>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9c245fa elementor-widget elementor-widget-text-editor\" data-id=\"9c245fa\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The same error will occur when you want to register your GitLab runner:<\/p><p class=\"p1\"><strong><span class=\"s1\">Post &#8220;https:\/\/10.122.49.112\/api\/v4\/runners&#8221;: x509: certificate signed by unknown authority<\/span><\/strong><\/p><p>Please use the following command in order to register your GitLab runner successfully:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7534bf5 elementor-widget elementor-widget-code-highlight\" data-id=\"7534bf5\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>sudo gitlab-runner register --tls-ca-file=\"\/etc\/gitlab\/ssl\/ca.crt\" <\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-845dd36 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"845dd36\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d519c94\" data-id=\"d519c94\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Table of Contents Introduction I needed to set up a GitLab server in a lab some weeks ago. At first, I didn&#8217;t feel the need of using a certificate to secure the connectivity but when I started to use the embedded Docker registry, I wasn&#8217;t able to get it working. A Docker registry is using [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1148,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[11,1],"tags":[],"class_list":["post-1102","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-automation","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/posts\/1102"}],"collection":[{"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/comments?post=1102"}],"version-history":[{"count":65,"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/posts\/1102\/revisions"}],"predecessor-version":[{"id":1682,"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/posts\/1102\/revisions\/1682"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/media\/1148"}],"wp:attachment":[{"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/media?parent=1102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/categories?post=1102"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/192.168.1.213:8088\/wp-json\/wp\/v2\/tags?post=1102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}