Merge pull request #46 from craph/main

Fix: Missing certificate signed by unknown authority refs: https://gi
This commit is contained in:
Elisabeth Kulzer 2021-10-12 15:58:09 +02:00 committed by GitHub
commit 724a812bed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 19 additions and 6 deletions

View File

@ -64,20 +64,28 @@ mkdir -p ./volumes/web/cert
cp PATH-TO-CERT.PEM ./volumes/web/cert/cert.pem cp PATH-TO-CERT.PEM ./volumes/web/cert/cert.pem
cp PATH-TO-KEY.PEM ./volumes/web/cert/key-no-password.pem cp PATH-TO-KEY.PEM ./volumes/web/cert/key-no-password.pem
``` ```
#### 5.2 Configure SSO with GitLab
If you are looking for SSO with GitLab and you use self signed certificate you have to add the PKI chain of your authority in app because Alpine doesn't know him. This is required to avoid **Token request failed: certificate signed by unknown authority**
#### 5.2 Let's Encrypt For that uncomment this line :
```
# - ${GITLAB_PKI_CHAIN_PATH}:/etc/ssl/certs/pki_chain.pem:ro
```
#### 5.3 Let's Encrypt
For using Let's Encrypt you can use this Bash script located in scripts/issue-certificate.sh (or follow the steps in docs/issuing-letsencrypt-certificate.md). Make sure to adjust `mm.example.com` to match your domain configured in step 2. For using Let's Encrypt you can use this Bash script located in scripts/issue-certificate.sh (or follow the steps in docs/issuing-letsencrypt-certificate.md). Make sure to adjust `mm.example.com` to match your domain configured in step 2.
``` ```
bash scripts/issue-certificate.sh -d mm.example.com -o ${PWD}/certs bash scripts/issue-certificate.sh -d mm.example.com -o ${PWD}/certs
``` ```
Otherwise please consult the Certbot [documentation](https://certbot.eff.org/instructions) on how to issue a standalone certificate and ensure the paths to the certificate and key are correctly set in your *.env*. Otherwise please consult the Certbot [documentation](https://certbot.eff.org/instructions) on how to issue a standalone certificate and ensure the paths to the certificate and key are correctly set in your *.env*.
#### 5.3 Adjusting the `.env` file. #### 5.4 Adjusting the `.env` file.
Once you've completed 5.1 or 5.2 you'll need to adjust the `.env` file accordingly. With 5.1 verify the first two lines below are uncommented in the `.env` file, with 5.2 comment out the first two lines and uncomment the last two lines. Once you've completed 5.1 or 5.2 or 5.3 you'll need to adjust the `.env` file accordingly. With 5.1 verify the first two lines below are uncommented in the `.env` file, with 5.2 uncomment the third line and put the correct path for your pki chain, with 5.3 comment out the first two lines and uncomment the last two lines.
``` ```
CERT_PATH=./volumes/web/cert/cert.pem CERT_PATH=./volumes/web/cert/cert.pem
KEY_PATH=./volumes/web/cert/key-no-password.pem KEY_PATH=./volumes/web/cert/key-no-password.pem
#GITLAB_PKI_CHAIN_PATH=<path_to_your_gitlab_pki>/pki_chain.pem
#CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem #CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
#KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem #KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem
``` ```

View File

@ -21,9 +21,13 @@ services:
- ${CERT_PATH}:/cert.pem:ro - ${CERT_PATH}:/cert.pem:ro
- ${KEY_PATH}:/key.pem:ro - ${KEY_PATH}:/key.pem:ro
- shared-webroot:/usr/share/nginx/html - shared-webroot:/usr/share/nginx/html
# When you want to use SSO with GitLab, you have to add the cert pki chain of GitLab inside Alpine
# to avoid Token request failed: certificate signed by unknown authority
# (link: https://github.com/mattermost/mattermost-server/issues/13059 and https://github.com/mattermost/docker/issues/34)
# - ${GITLAB_PKI_CHAIN_PATH}:/etc/ssl/certs/pki_chain.pem:ro
environment: environment:
# timezone inside container # timezone inside container
- TZ - TZ: ${TZ}
ports: ports:
- ${HTTPS_PORT}:443 - ${HTTPS_PORT}:443
- ${HTTP_PORT}:80 - ${HTTP_PORT}:80

View File

@ -18,7 +18,7 @@ services:
- ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
environment: environment:
# timezone inside container # timezone inside container
- TZ - TZ: ${TZ}
# necessary Postgres options/variables # necessary Postgres options/variables
- POSTGRES_USER - POSTGRES_USER
@ -45,7 +45,7 @@ services:
- ${MATTERMOST_CLIENT_PLUGINS_PATH}:/mattermost/client/plugins:rw - ${MATTERMOST_CLIENT_PLUGINS_PATH}:/mattermost/client/plugins:rw
environment: environment:
# timezone inside container # timezone inside container
- TZ - TZ: ${TZ}
# necessary Mattermost options/variables (see env.example) # necessary Mattermost options/variables (see env.example)
- MM_SQLSETTINGS_DRIVERNAME - MM_SQLSETTINGS_DRIVERNAME

View File

@ -37,6 +37,7 @@ NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem
CERT_PATH=./volumes/web/cert/cert.pem CERT_PATH=./volumes/web/cert/cert.pem
KEY_PATH=./volumes/web/cert/key-no-password.pem KEY_PATH=./volumes/web/cert/key-no-password.pem
#GITLAB_PKI_CHAIN_PATH=<path_to_your_gitlab_pki>/pki_chain.pem
#CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem #CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
#KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem #KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem