gitlab证书到期

上个教程，是替换证书，没想到，两个月这么快过去了，又得换

上个文章：https://blog.csdn.net/qq_33317586/article/details/84854582

这次干脆把证书放到本机算了。

---

参考了这篇文章：https://async.sh/2016/12/10/use-acme-sh-add-https-support-to-gitlab/

但有些问题，下面实战：

按照教程生成证书会报错，看了配置文件还有查了资料，webroot目录确实是/opt/gitlab/embedded/service/gitlab-rails/public

但确实是报错，无响应什么的：

后面查看了这篇文档，说gitlab的nginx对这个.well-known做了跳转：

https://wiki.archlinux.org/index.php/Gitlab_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)

看了下gitlab的nginx配置文件，确实如此：

所以，生成证书目录应该对应：

root@xxxxx-gitlab1:~/.acme.sh# ./acme.sh  --issue -d gitlab.x.xxxxx.com -w /var/www/letsencrypt
[Sat Feb  9 10:36:46 CST 2019] Creating domain key
[Sat Feb  9 10:36:46 CST 2019] The domain key is here: /root/.acme.sh/gitlab.x.xxxxx.com/gitlab.x.xxxxx.com.key
[Sat Feb  9 10:36:46 CST 2019] Single domain='gitlab.x.xxxxx.com'
[Sat Feb  9 10:36:46 CST 2019] Getting domain auth token for each domain
[Sat Feb  9 10:36:46 CST 2019] Getting webroot for domain='gitlab.x.xxxxx.com'
[Sat Feb  9 10:36:46 CST 2019] Getting new-authz for domain='gitlab.x.xxxxx.com'
[Sat Feb  9 10:36:50 CST 2019] The new-authz request is ok.
[Sat Feb  9 10:36:51 CST 2019] Verifying:gitlab.x.xxxxx.com
[Sat Feb  9 10:36:57 CST 2019] Success
[Sat Feb  9 10:36:57 CST 2019] Verify finished, start to sign.
[Sat Feb  9 10:37:00 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
废话
-----END CERTIFICATE-----
[Sat Feb  9 10:37:00 CST 2019] Your cert is in  /root/.acme.sh/gitlab.x.xxxxx.com/gitlab.x.xxxxx.com.cer 
[Sat Feb  9 10:37:00 CST 2019] Your cert key is in  /root/.acme.sh/gitlab.x.xxxxx.com/gitlab.x.xxxxx.com.key 
[Sat Feb  9 10:37:02 CST 2019] The intermediate CA cert is in  /root/.acme.sh/gitlab.x.xxxxx.com/ca.cer 
[Sat Feb  9 10:37:02 CST 2019] And the full chain certs is there:  /root/.acme.sh/gitlab.x.xxxxx.com/fullchain.cer 

然后安装证书：

证书的位置在/etc/gitlab/gitlab.rb中进行设置

这个重启nginx的命令要注意是gitlab-ctl restart nginx

---

下一次续签就简单了：

#acme.sh --renew -d gitlab.x.xxxxx.com --force
#acme.sh --install-cert \
-d gitlab.x.xxxxx.com \
--key-file /etc/letsencrypt/live/gitlab.x.xxxxx.com/privkey.pem \
--fullchain-file /etc/letsencrypt/live/gitlab.x.xxxxx.com/fullchain.pem \
--reloadcmd "gitlab-ctl restart nginx"