registry redirect from http to https without port
GitLab Container Registry's nginx does not include port number when redirect from http to https.
So certbot renew
failed.
First run (sudo certbot certonly --webroot --webroot-path=/var/www/letsencrypt -d registry.example.jp
) succeeded, because registry_external_url
is http only (see below).
- OS: Ubuntu 16.04.2 LTS
- version: 9.4.0-ce.0
Relevant sections of /etc/gitlab/gitlab.rb
:
if File.exist?("/etc/letsencrypt/live/#{registry_domain}/fullchain.pem")
registry_external_url "https://#{registry_domain}"
registry_nginx['redirect_http_to_https'] = true
registry_nginx['ssl_certificate'] = "/etc/letsencrypt/live/#{registry_domain}/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/#{registry_domain}/privkey.pem"
else
registry_external_url "http://#{registry_domain}"
end
registry_nginx['custom_gitlab_server_config'] = 'location ^~ /.well-known { root /var/www/letsencrypt; }'
HTTP response (modified host and IP):
% curl -v 'http://registry.example.jp'
* Rebuilt URL to: http://registry.example.jp/
* Hostname was NOT found in DNS cache
* Trying XX.XX.XX.XX...
* Connected to registry.example.jp (XX.XX.XX.XX) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: registry.example.jp
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
* Server nginx is not blacklisted
< Server: nginx
< Date: Tue, 25 Jul 2017 01:27:12 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://registry.example.jp:/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host registry.example.jp left intact
I tried to change registry_external_url "https://#{registry_domain}:443"
and run sudo gitlab-ctl reconfigure
, but Location does not change.