sameersbn / docker-gitlab

Dockerized GitLab
http://www.damagehead.com/docker-gitlab/
MIT License
7.89k stars 2.14k forks source link

Gitlab and Registry with SSL not working #1697

Closed lchigami closed 6 years ago

lchigami commented 6 years ago

Hi, I'm trying to setup my Gitlab and Registry with SSL in the same server using compose, but I keep getting the certificate verify failed error.

Here is my docker-compose.yml

version: '2'

services:
  redis:
    restart: always
    image: sameersbn/redis:latest
    command:
    - --loglevel warning
    volumes:
    - /var/docker/gitlab/redis:/var/lib/redis:Z
    networks:
    - gitlab_network

  postgresql:
    restart: always
    image: sameersbn/postgresql:10
    volumes:
    - /var/docker/gitlab/postgresql:/var/lib/postgresql:Z
    networks:
    - gitlab_network
    environment:
    - DB_USER=gitlab
    - DB_PASS=OMITTED
    - DB_NAME=OMITTED
    - DB_EXTENSION=OMITTED

  registry:
    image: registry:2.6.2
    restart: always
    expose:
    - "5000"
    ports:
    - "5000:5000"
    volumes:
    - /var/docker/gitlab/gitlab/shared/registry:/registry
    - /var/docker/gitlab/gitlab/certs:/certs
    networks:
    - gitlab_network
    environment:
    - REGISTRY_LOG_LEVEL=info
    - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry
    - REGISTRY_AUTH_TOKEN_REALM=https://gitlab.abc.def.com/jwt/auth
    - REGISTRY_AUTH_TOKEN_SERVICE=container_registry
    - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer
    - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt
    - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt
    - REGISTRY_HTTP_TLS_KEY=/certs/registry.key
    - REGISTRY_STORAGE_DELETE_ENABLED=true

  gitlab:
    restart: always
    image: sameersbn/gitlab:11.1.4
    depends_on:
    - redis
    - postgresql
    ports:
    - "80:80"
      #- "10022:22"
    - "443:443"
    volumes:
    - /var/docker/gitlab/gitlab:/home/git/data:Z
    - /var/docker/gitlab/gitlab/certs:/certs
    networks:
    - gitlab_network
    environment:
    - DEBUG=false

    - DB_ADAPTER=OMITTED
    - DB_HOST=OMITTED
    - DB_PORT=OMITTED
    - DB_USER=OMITTED
    - DB_PASS=OMITTED
    - DB_NAME=OMITTED

    - REDIS_HOST=redis
    - REDIS_PORT=6379

    - TZ=America/Sao_Paulo
    - GITLAB_TIMEZONE=Brasilia

    - GITLAB_HTTPS=true
    - SSL_SELF_SIGNED=false

    - NGINX_HSTS_MAXAGE=259200

    - GITLAB_REGISTRY_ENABLED=true
    - GITLAB_REGISTRY_HOST=gitlab.abc.def.com
    - GITLAB_REGISTRY_PORT=5000
    - GITLAB_REGISTRY_API_URL=https://registry:5000
    - GITLAB_REGISTRY_KEY_PATH=/certs/registry.key
      #- GITLAB_REGISTRY_CERT_PATH=/certs/registry.crt
    - GITLAB_REGISTRY_ISSUER=gitlab-issuer
    - SSL_REGISTRY_KEY_PATH=/certs/registry.key
    - SSL_REGISTRY_CERT_PATH=/certs/registry.crt

    - GITLAB_HOST=gitlab.abc.def.com
    - GITLAB_PORT=443
    - GITLAB_SSH_PORT=
    - GITLAB_RELATIVE_URL_ROOT=
    - GITLAB_SECRETS_DB_KEY_BASE=OMITTED
    - GITLAB_SECRETS_SECRET_KEY_BASE=OMITTED
    - GITLAB_SECRETS_OTP_KEY_BASE=OMITTED

    - GITLAB_ROOT_PASSWORD=
    - GITLAB_ROOT_EMAIL=

    - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true
    - GITLAB_NOTIFY_PUSHER=false

    - GITLAB_EMAIL=OMITTED
    - GITLAB_EMAIL_REPLY_TO=OMITTED
    - GITLAB_INCOMING_EMAIL_ADDRESS=OMITTED

    - GITLAB_BACKUP_SCHEDULE=daily
    - GITLAB_BACKUP_TIME=01:00

    - SMTP_ENABLED=true
    - SMTP_DOMAIN=OMITTED
    - SMTP_HOST=OMITTED
    - SMTP_PORT=OMITTED
    - SMTP_USER=OMITTED
    - SMTP_PASS=OMITTED
    - SMTP_STARTTLS=true
    - SMTP_AUTHENTICATION=login

    - IMAP_ENABLED=true
    - IMAP_HOST=OMITTED
    - IMAP_PORT=OMITTED
    - IMAP_USER=OMITTED
    - IMAP_PASS=OMITTED
    - IMAP_SSL=true
    - IMAP_STARTTLS=false

    - OAUTH_ENABLED=false
    - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=
    - OAUTH_ALLOW_SSO=
    - OAUTH_BLOCK_AUTO_CREATED_USERS=true
    - OAUTH_AUTO_LINK_LDAP_USER=false
    - OAUTH_AUTO_LINK_SAML_USER=false
    - OAUTH_EXTERNAL_PROVIDERS=

    - OAUTH_CAS3_LABEL=cas3
    - OAUTH_CAS3_SERVER=
    - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false
    - OAUTH_CAS3_LOGIN_URL=/cas/login
    - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate
    - OAUTH_CAS3_LOGOUT_URL=/cas/logout

    - OAUTH_GOOGLE_API_KEY=
    - OAUTH_GOOGLE_APP_SECRET=
    - OAUTH_GOOGLE_RESTRICT_DOMAIN=

    - OAUTH_FACEBOOK_API_KEY=
    - OAUTH_FACEBOOK_APP_SECRET=

    - OAUTH_TWITTER_API_KEY=
    - OAUTH_TWITTER_APP_SECRET=

    - OAUTH_GITHUB_API_KEY=
    - OAUTH_GITHUB_APP_SECRET=
    - OAUTH_GITHUB_URL=
    - OAUTH_GITHUB_VERIFY_SSL=

    - OAUTH_GITLAB_API_KEY=
    - OAUTH_GITLAB_APP_SECRET=

    - OAUTH_BITBUCKET_API_KEY=
    - OAUTH_BITBUCKET_APP_SECRET=

    - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=
    - OAUTH_SAML_IDP_CERT_FINGERPRINT=
    - OAUTH_SAML_IDP_SSO_TARGET_URL=
    - OAUTH_SAML_ISSUER=
    - OAUTH_SAML_LABEL="Our SAML Provider"
    - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    - OAUTH_SAML_GROUPS_ATTRIBUTE=
    - OAUTH_SAML_EXTERNAL_GROUPS=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=

    - OAUTH_CROWD_SERVER_URL=
    - OAUTH_CROWD_APP_NAME=
    - OAUTH_CROWD_APP_PASSWORD=

    - OAUTH_AUTH0_CLIENT_ID=
    - OAUTH_AUTH0_CLIENT_SECRET=
    - OAUTH_AUTH0_DOMAIN=

    - OAUTH_AZURE_API_KEY=
    - OAUTH_AZURE_API_SECRET=
    - OAUTH_AZURE_TENANT_ID=

    - LDAP_ENABLED=true
    - LDAP_LABEL=OMITTED
    - LDAP_HOST=OMITTED
    - LDAP_PORT=OMITTED
    - LDAP_UID=sAMAccountName
    - LDAP_METHOD=plain
    - LDAP_VERIFY_SSL=false
    - LDAP_BIND_DN=OMITTED
    - LDAP_PASS=qx4VkuiS
    - LDAP_ACTIVE_DIRECTORY=true
    - LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=true
    - LDAP_BASE=OMITTED
    - LDAP_USER_FILTER=OMITTED

networks:
  gitlab_network:
    driver: bridge
    ipam:
      driver: default
      config:
      - subnet: 172.16.238.0/24
        gateway: 172.16.238.1

I'm using the same domain to both Gitlab and Registry (gitlab.abc.def.com) Note: You could also run everything on the same domain and use different ports instead. The required configuration changes below should be straightforward. (from https://github.com/sameersbn/docker-gitlab/blob/master/docs/container_registry.md)

Error from production.log

Faraday::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed):
  lib/container_registry/client.rb:19:in `repository_tags'
  app/models/container_repository.rb:36:in `manifest'
  app/models/container_repository.rb:41:in `tags'
  app/models/container_repository.rb:53:in `has_tags?'
  app/controllers/projects/registry/repositories_controller.rb:48:in `block (2 levels) in ensure_root_container_repository!'
  app/controllers/projects/registry/repositories_controller.rb:47:in `tap'
  app/controllers/projects/registry/repositories_controller.rb:47:in `block in ensure_root_container_repository!'
  app/controllers/projects/registry/repositories_controller.rb:44:in `tap'
  app/controllers/projects/registry/repositories_controller.rb:44:in `ensure_root_container_repository!'
  lib/gitlab/i18n.rb:51:in `with_locale'
  lib/gitlab/i18n.rb:57:in `with_user_locale'
  app/controllers/application_controller.rb:362:in `set_locale'
  lib/gitlab/middleware/multipart.rb:97:in `call'
  lib/gitlab/request_profiler/middleware.rb:14:in `call'
  lib/gitlab/middleware/go.rb:17:in `call'
  lib/gitlab/etag_caching/middleware.rb:11:in `call'
  lib/gitlab/middleware/read_only/controller.rb:38:in `call'
  lib/gitlab/middleware/read_only.rb:16:in `call'
  lib/gitlab/request_context.rb:18:in `call'
  lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'
  lib/gitlab/middleware/release_env.rb:10:in `call'
lchigami commented 6 years ago

Resolved!

The problem was how the Gitlab was accessing the Registry internal API URL. Changed - GITLAB_REGISTRY_API_URL=https://registry:5000 to - GITLAB_REGISTRY_API_URL=https://gitlab.abc.def.com:5000

kancharla-sandeep commented 5 years ago

Resolved!

The problem was how the Gitlab was accessing the Registry internal API URL. Changed - GITLAB_REGISTRY_API_URL=https://registry:5000 to - GITLAB_REGISTRY_API_URL=https://gitlab.abc.def.com:5000

where did you modify your ngnix config