Background
GitLab EE 13.10 on an AWS EC2 CentOS instance. I wanted to have a site with a CA signed certificate and to use SSH for my git commands
Problem I ran into
- My install used a self-signed certificate instead of a Let’s Encrypt certificate.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)when trying to git clone over ssh
Steps I followed
- Followed the GitLab Omnibus installation instructions for CentOS 7
- In AWS Route 53, created a Type A Simple Routing record to forward traffic from gitlab.mydomain.com to the IP address of my AWS EC2 instance
- Specified an https address for my install in the form
https://gitlab.mydomain.com - Followed the instructions to generate an SSH key pair using my own filename for the key
id_rsa_test
Solution (TL;DR)
1. Let’s Encrypt Certificate
- In AWS Route 53, enable DNS forwarding from the subdomain and the domain to the server IP address
-
Enable ths server to accept incoming HTTP requests by updating the gitlab.rb file with
nginx['redirect_http_to_https'] = true nginx['redirect_http_to_https_port'] = 802. SSH
- Use the default key filename
- or create a
~.ssh/configfile to specifiy the IdentifyFile (key) to be used
What I learned
1. Let’s Encrypt Certificate
- If GitLab’s Omnibus installer can’t obtain a cert from Let’s Encrypt, it generates a self-signed certs and places it in
/etc/gitlab/ssl -
When I enabled Let’s Encrypt in the
/etc/gitlab/gitlab.rbfileletsencrypt['enable'] = trueupon running
gitlab-ctl reconfigure, it would fail with aValidation failed, unable to request certificateerror -
There are two causes
- Let’s Encrypt needs to be able to reach not just the subdomain (gitlab.mydomain.com) but als the domain (mydomain.com).
I had DNS forwarding from
gitlab.mydomain.comto the AWS EC2 instance IP address but not frommydomain.com - Let’s Encrypt needs to be able to reach the domain via HTTP and HTTPS. I was not redirecting http to https
- Let’s Encrypt needs to be able to reach not just the subdomain (gitlab.mydomain.com) but als the domain (mydomain.com).
I had DNS forwarding from
2. SSH
- By running
ssh -Tv git@gitlab.mydomain.com, I could see that ssh was trying to match certificates from.sshto the server. I noticed that it was looking for “default” certificate file names like idrsa, idrsa-cert, id_ed25519, etc… - As a test, I decided to rename my certifcate file to the default id_rsa and rerun
ssh -Tv git@gitlab.mydomain.com. Result:Authentication succeeded (publickey). - In order to use a different name for the key, I followed the instructions to setup a .ssh/config file and I can now ssh using a ‘non-standard’ key filename