Docker-gitlab: SSL does not work

@mnesarco Couple of questions

• Have you installed the SSL certificates for the container.
• Are you using a load balancer (probably not)
• Does https access work on the host
• What version of the image are you using
• When you say http://my-public-host:3580/ works perfect, do you mean you are able to access the application at that address or do you mean it tries to redirect to https and it fails at that point.

Hii Sameer,

On Thu, Sep 11, 2014 at 11:24 PM, Sameer Naik [email protected]
wrote:

@mnesarco https://github.com/mnesarco Couple of questions

• Have you installed the SSL certificates for the container.

Yes, I have generated the certificate following the instructions and
copied it to /opt/gitlab/data/certs and changed the permissions of the
key....

• Are you using a load balancer (probably not)

No

• Does https access work on the host

No

curl -v https://127.0.0.1:35443/
* About to connect() to 127.0.0.1 port 35443 (#0)
*   Trying 127.0.0.1... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to 127.0.0.1:35443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:35443

curl -v http://127.0.0.1:3580/
* About to connect() to 127.0.0.1 port 3580 (#0)
*   Trying 127.0.0.1... connected
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: 127.0.0.1:3580
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 12 Sep 2014 13:53:19 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 302 Found
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Location: http://127.0.0.1:3580/users/sign_in
< Cache-Control: no-cache
< Set-Cookie: _gitlab_session=8e97bd22b7baf934a10b5330b3f8b0c2; path=/;
HttpOnly
< Set-Cookie: request_method=GET; path=/
< X-Request-Id: 205bacd7-ae38-4507-9e03-357f457962a9
< X-Runtime: 0.090766
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0

• What version of the image are you using

sameersbn/gitlab:latest

• When you say http://my-public-host:3580/ works perfect, do you mean
  you are able to access the application at that address or do you mean it
  tries to redirect to https and it fails at that point.

I mean, I am able to access the application and create some users, groups,
projects .... but there is one problem (probably related): The origin of
the project is at localhost instead of my-public-host:

git@localhost:root/x.git

Also if I upload an avatar image, it tries to load it from localhost in the
profile view.

My env:

GITLAB_HOST=my-public-host
GITLAB_PORT=35443
[email protected]
GITLAB_SIGNUP=false
GITLAB_SIGNIN=true
GITLAB_PROJECTS_LIMIT=100
GITLAB_USERNAME_CHANGE=false
GITLAB_PROJECTS_VISIBILITY=private
GITLAB_BACKUPS=daily
GITLAB_SSH_PORT=3522
GITLAB_HTTPS=true
SSL_SELF_SIGNED=true

Frank D. Martínez M.

@mnesarco couple of things don't make sense at all to me.

1. when GITLAB_HTTPS=true accessing the application at the http:// address should redirect you to the https:// page. Your above curl output suggests that it stays on http://
2. again you should not be able to access the application at the http:// address and be able to create users, etc.
3. the displayed urls should be of the form ssh://git@my-public-host:3522 and not git@localhost:root/x.git. The default GITLAB_HOST is localhost.

All this leads me to believe that non of the environment variables are actually being set. How have you specified the environment variables for the image, are you using the -e 'VARIABLE=value' flags or are you using the --env-file flag for the docker run command.

If you are using the --env-file option to specify the environment variables for the image, then make sure in the file you have not specified the variable in qoutes or anything, i.e.

_the correct way_

GITLAB_HTTPS=true
GITLAB_HOST=my-public-host

_the wrong way_

GITLAB_HTTPS="true"
GITLAB_HOST="my-public-host"

If this not the case then I'd suggest you paste in your run command (you can mask out the passwords and other sensitive parameters)

docker run --name=gitlab -d -p 3522:22 -p 3580:80 -p 35443:443 -e 'GITLAB_HOST=my-public-host' -e 'DB_TYPE=postgres' -e 'DB_HOST=192.168.0.102' -e 'DB_NAME=gitlabhq_production' -e 'DB_USER=gitlab' -e 'DB_PASS=yyy' -e 'GITLAB_SSH_PORT=3522' -e 'GITLAB_PORT=35443' -e 'SMTP_ENABLED=true' -e 'SMTP_DOMAIN=yyy.com' -e 'SMTP_HOST=zzzz.com' -e 'SMTP_PORT=465' -e 'SMTP_USER=uuu' -e 'SMTP_PASS=aaaa' -e 'GITLAB_HTTPS=true' -e 'SSL_SELF_SIGNED=true' -v /opt/gitlab/data:/home/git/data sameersbn/gitlab:latest

@mnesarco the command you pasted above has a stray -e flag just before the -v flag. But I think that is a typo.

I just tried your command and had no problems. Can you try:

docker run --name=gitlab -it --rm \
-p 3522:22 -p 3580:80 -p 35443:443 \
-e 'GITLAB_HOST=my-public-host' \
-e 'GITLAB_SSH_PORT=3522' \
-e 'GITLAB_PORT=35443' \
-e 'GITLAB_HTTPS=true' \
-e 'SSL_SELF_SIGNED=true' \
-e 'DB_TYPE=postgres' \
-e 'DB_HOST=192.168.0.102' \
-e 'DB_NAME=gitlabhq_production' \
-e 'DB_USER=gitlab' \
-e 'DB_PASS=yyy'
-v /opt/gitlab/data:/home/git/data \
sameersbn/gitlab:latest

I have removed the SMTP parts as they are not relevant here. It might probably not make any difference to your case. Next please try the same command with printenv appended to it.

docker run --name=gitlab -it --rm \
-p 3522:22 -p 3580:80 -p 35443:443 \
-e 'GITLAB_HOST=my-public-host' \
-e 'GITLAB_SSH_PORT=3522' \
-e 'GITLAB_PORT=35443' \
-e 'GITLAB_HTTPS=true' \
-e 'SSL_SELF_SIGNED=true' \
-e 'DB_TYPE=postgres' \
-e 'DB_HOST=192.168.0.102' \
-e 'DB_NAME=gitlabhq_production' \
-e 'DB_USER=gitlab' \
-e 'DB_PASS=yyy'
-v /opt/gitlab/data:/home/git/data \
sameersbn/gitlab:latest printenv

This would print the bash environment variables, so in the output you should see something like:

HOSTNAME=a521d3ebd422
TERM=xterm
GITLAB_SSH_PORT=3522
SSL_SELF_SIGNED=true
GITLAB_PORT=35443
GITLAB_HTTPS=true
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/home/git/gitlab
HOME=/
SHLVL=2
GITLAB_HOST=my-public-host
DEBIAN_FRONTEND=noninteractive
_=/usr/bin/printenv

As you can see the GITLAB_SSH_PORT, GITLAB_HTTPS, etc. (_variables that were set using the -e options_) are all present in the bash environment. If you don't see these then something has gone terribly wrong.

If that is the case my suggestion would be to try removing all gitlab images, repull and retry. i.e.

docker rmi sameersbn/ubuntu:14.04.20140818
docker rmi $(docker images | grep 'sameersbn/gitlab' | awk '{print $3}')

This will remove all gitlab images and the base ubuntu image on which the image is built upon. Please make sure that all gitlab images have been removed by inspecting the output of the docker images command.

Next pull the latest gitlab image from the index and retry.

docker pull sameersbn/gitlab:latest

Also can you tell the docker version and the host OS you are using?

@mnesarco I wonder of the shell you are using matters. Are you using a shell other than bash?

This is the output (some masked):

root@d89b3764f314:/home/git/gitlab# printenv
HOSTNAME=d89b3764f314
DB_HOST=XXXXXXXX
DB_NAME=gitlabhq_production
TERM=xterm
DB_PASS=XXXXXXXXX
SSL_DHPARAM_PATH=/home/git/data/certs/dhparam.pem
GITLAB_SSH_PORT=3522
DB_TYPE=postgres
SSL_SELF_SIGNED=true
SSL_KEY_PATH=/home/git/data/certs/gitlab.key
GITLAB_PORT=35443
SMTP_PORT=465
SMTP_USER=XXXXXXX
SMTP_PASS=XXXXXX
SMTP_ENABLED=true
SMTP_DOMAIN=XXXXXX
GITLAB_HTTPS=true
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/home/git/gitlab
SMTP_HOST=XXXXXXX
HOME=/
SHLVL=2
GITLAB_HOST=my-public-host
DB_USER=gitlab
DEBIAN_FRONTEND=noninteractive
SSL_CERTIFICATE_PATH=/home/git/data/certs/gitlab.crt
_=/usr/bin/printenv

I am using:

Linux ubunto1 3.8.0-44-generic #66~precise1-Ubuntu SMP Tue Jul 15 04:01:04 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Docker version 1.2.0, build fa7b24f

sameersbn/gitlab latest 540902193ced 30 hours ago 988.2 MB

@mnesarco looks alright. can you append bash to the docker command and then inspect the contents of the gitlab.yml file

vim.tiny /home/git/gitlab/config/gitlab.yml

This means ubuntu 12.04 right?

Linux ubunto1 3.8.0-44-generic #66~precise1-Ubuntu SMP Tue Jul 15 04:01:04 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

@sameersbn Yes, it is ubuntu 12.04. What part of the gitlab.yml do I have to review?

  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    host: "my-public-host"
    port: 35443
    https: true

@sameersbn I have removed the quotations around the environment vars and now it redirects, but the container shuts down immediately after the redirect:

CONTAINER ID        IMAGE                     COMMAND                CREATED             STATUS                      PORTS               NAMES
f07b4e4f73d2        sameersbn/gitlab:latest   "/app/init app:start   38 seconds ago      Exited (1) 11 seconds ago                       gitlab 

@sameersbn Finally removing single quotes solved the problem.

Wrong way:

-e 'GITLAB_HOST=xxxx'

Right way:

-e GITLAB_HOST=xxxx