2021-02-07 19:45:00
My homelab runs its own PKI and most servers and services are provided with correct and trusted certificates. It's a matter of discipline and of testing as close to production as possible.
Getting Gitlab on board is a fairly okay process, but takes a bit to figure out.
- Your Gitlab runners will trust most certs generated with default settings by ADCS.
- The Docker client (like "docker login gitlab:5050") is not that easy: it requires that the cert has a SAN: subject alternative name.
- Potentially it could be possible to tack on a SAN during the submission of your CSR, using "certreq -submit -attrib "CertificateTemplate:WebServer SAN:dns=gitlab.domain.com" gitlab.csr" (source). But that doesn't work here and it's not recommended.
So my quick and dirty way of getting things set up:
- On ADCS generate a new, exportable key pair with the right settings.
- Run this keypair through a locally created .inf request file with an extension for the subject alt. name (see example).
- Issue the requested cert and import it.
- Export the full keypair plus cert as a PKCS12 / .pfx file.
- Transfer the .pfx to the Gitlab server and store safely in "/etc/gitlab/ssl/". Set to ownership by root, and only readable by root.
- Use "openssl" to extract the private key and certificate from the .pfx file. Then use it as well to decrypt the private key.
- Replace the pre-existing gitlabhostname.crt and gitlabhostname.key files with the newly extracted files.
Now, you also want Gitlab and your runners to trust your internal PKI! So you will need to ask your PKI admin (myself in this case) for the CA certificate chain. You will also need the individual certificates for the root and intermediary PKI servers.
- In your Gitlab host, copy the individual PKI certificates into "/etc/gitlab/trusted-certs".
- On your Gitlab runner hosts, copy the CA chain into "/etc/gitlab-runner" and reconfigure "/etc/gitlab-runner/config.toml" so each runner has a line for "tls-ca-file".
- If you haven't done so already, make sure the rest of your Linux host also trusts your PKI by importing the certs.
- According to the Docker manuals, Docker uses both its own config file and the Linux/Windows central trust store. So completing step #3 is good enough. But, Docker will only pick up new certs after you restart the engine!
Don't forget to restart Gitlab itself, the runners and Docker after making these config changes!
You can then perform the following tests, to make sure everything's up and running with the right certs.
- sudo gitlab-ctl status
- openssl s_client -connect gitlabhostname:443
- openssl s_client -connect gitlabhostname:5050
- sudo systemctl status gitlab-runner
- docker login gitlabhostname:5050
kilala.nl tags:
work,
sysadmin,
studies,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.