Registry Nginx.conf generate incorrectly
Summary
When I enable registry_nginx['redirect_http_to_https'] = true
and run gitlab-ctl reconfigure
it generate the file /var/opt/gitlab/nginx/conf/gitlab-registry.conf
incorrectly and when letsencrypt try to access the challenges got 301 status with incorrect URL.
Steps to reproduce
Enable registry_nginx['redirect_http_to_https'] = true
on file /etc/gitlab/gitlab.rb
Run gitlab-ctl reconfigure
Try to renew letsencrypt certs and take a look on logs.
64.78.149.164 - - [27/Feb/2018:14:16:37 -0300] "GET /.well-known/acme-challenge/YoknUC1YkEB3RyDO3oUOnIF3mBMFj987GSheDuxGOu8 HTTP/1.1" 301 178 "" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
And now take a look on /var/opt/gitlab/nginx/conf/gitlab-registry.conf
.
You should see:
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name reg-gitlab.brx.srv.br;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host:$request_uri;
access_log /var/log/gitlab/nginx/gitlab_registry_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_registry_error.log;
}
But it should look like:
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name reg-gitlab.brx.srv.br;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host:443$request_uri;
access_log /var/log/gitlab/nginx/gitlab_registry_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_registry_error.log;
}
and include the port as we can check on /var/opt/gitlab/nginx/conf/gitlab-http.conf
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name gitlab.brx.srv.br;
server_tokens off; ## Don't show the nginx version number, a security best practice
location / {
return 301 https://gitlab.brx.srv.br:443$request_uri;
}
access_log /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_error.log;
}
What is the current bug behavior?
Letsencrypt receive a wrong redirected url and it can't reach the chalenge on the server
Attempting to renew cert (gitlab.brx.srv.br) from /etc/letsencrypt/renewal/gitlab.brx.srv.br.conf produced an unexpected error: Failed authorization procedure. reg-gitlab.brx.srv.br (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://reg-gitlab.brx.srv.br:/.well-known/acme-challenge/qyml0UqEqNelK7AHlgOWJmj7hMRGpRc1Cf9BTvcpPQw: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gitlab.brx.srv.br/fullchain.pem (failure)
What is the expected correct behavior?
The reconfigure command generate correctly the redirect from http to https