希望能够在RHEL 7上运行GitLab的全新安装时遇到一些问题。我将GitLabconfiguration为使用SSL,并使用https://servername.domainname在Web浏览器中浏览到我们的服务器。 ,但是做任何types的Git克隆或Pull over https都会导致SSL错误。
在Windows上使用TortoiseGit(最新版本)进行Git克隆时,出现错误“错误:14077410:SSL例程:SSL23_GET_SERVER_HELLO:sslv3警报握手失败”,并且在使用Ansible Tower时,我得到“Peer's Certificate Issuer is not recognized。 “
我试过编辑GitLab的gitlab.rb文件,以允许各种SSL密码和版本,但似乎没有任何工作(加上,我宁愿不允许弱密码或脆弱的SSL版本)。
用于GitLab的SSL证书是GoDaddy证书,不是自签名的。
我的gitlab.rb Nginx的configuration内容是(对不起,我知道它很长):
################ # GitLab Nginx # ################ ## see: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master/doc/settings/nginx.md nginx['enable'] = true # nginx['client_max_body_size'] = '250m' nginx['redirect_http_to_https'] = true ci_nginx['redirect_http_to_https'] = true nginx['redirect_http_to_https_port'] = 80 # nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.cer" # Most root CA's are included by default nginx['ssl_certificate'] = "/etc/gitlab/ssl/sslcert.cer" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/sslcert.key" nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" nginx['ssl_prefer_server_ciphers'] = "on" nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html # nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem # nginx['listen_addresses'] = ['*'] # nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port # nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl # nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n" # nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;" # nginx['proxy_read_timeout'] = 300 # nginx['proxy_connect_timeout'] = 300 # nginx['proxy_set_headers'] = { # "Host" => "$http_host", # "X-Real-IP" => "$remote_addr", # "X-Forwarded-For" => "$proxy_add_x_forwarded_for", # "X-Forwarded-Proto" => "https", # "X-Forwarded-Ssl" => "on" # } # nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2' # nginx['proxy_cache'] = 'gitlab' # nginx['http2_enabled'] = true ## Advanced settings # nginx['dir'] = "/var/opt/gitlab/nginx" nginx['log_directory'] = "/var/log/gitlab/nginx" # nginx['worker_processes'] = 4 # nginx['worker_connections'] = 10240 # nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' # nginx['sendfile'] = 'on' # nginx['tcp_nopush'] = 'on' # nginx['tcp_nodelay'] = 'on' # nginx['gzip'] = "on" # nginx['gzip_http_version'] = "1.0" # nginx['gzip_comp_level'] = "2" # nginx['gzip_proxied'] = "any" # nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ] # nginx['keepalive_timeout'] = 65 # nginx['cache_max_size'] = '5000m' 在这些设置之外,我的gitlab.rb文件几乎是默认的(configuration了LDAP)。
从Ansible服务器(RHEL 7,最新curl发行版)运行curl:
curl -v https://gitlabserver.domain.com * About to connect() to gitlabserver.domain.com port 443 (#0) * Trying ip address... * Connected to gitlabserver.domain.com (ipaddress) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP) * Cannot communicate securely with peer: no common encryption algorithm(s). * Closing connection 0 curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
是否还有其他testing可以运行,以帮助诊断Git克隆过程的https问题?
晚些时候永远不会:我遇到了同样的问题,并通过连接来自我的CA和我的.crt的中间证书到一个组合的.crt,然后由nginx使用来解决它。
更多信息在这里: https : //www.digicert.com/ssl-certificate-installation-nginx.htm