I'm trying to install gitlab on my server, I tried installing it through the gitlab-ce and the gitlab-ee packages
but both failed. So I tried installing it from source, I can at least show up the page and connect, but I'm getting a lot of errors. I am using ssl and I think https is well configured since I can get to the page and even add SSH keys I found the problem. When I run the command : /home/git/gitlab-shell/bin/check I get the output : Check GitLab API access: FAILED: Failed to connect to internal API The gitlab-shell log shows : time="2018-05-01T17:32:37+02:00" level=warn msg="Failed to connect to internal API" error="SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol" method=GET pid=13377 url="https://127.0.0.1:8080/api/v4/internal/check"; time="2018-05-01T17:32:37+02:00" level=info msg="finished HTTP request" duration=0.00123339 method=GET pid=13377 url="https://127.0.0.1:8080/api/v4/internal/check"; While using curl I found out that http://127.0.0.1:8080 works, but I can't use it since my server is in https and using http in the config of gitlab-shell just returns error 302 . curl with http : curl http://127.0.0.1:8080/gitslab/api/v4/internal/check <html><body>You are being <a href="http://127.0.0.1:8080/users/sign_in";> redirected</a>.</body></html> curl with https: curl https://127.0.0.1:8080/gitslab/api/v4/internal/check curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received. And the log shows the same thing as the first. Output of environment info : sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production System information System: Ubuntu 16.04 Current User: git Using RVM: no Ruby Version: 2.3.7p456 Gem Version: 2.5.2.3 Bundler Version:1.16.1 Rake Version: 12.3.0 Redis Version: 4.0.9 Git Version: 2.9.5 Sidekiq Version:5.0.5 Go Version: go1.8.3 linux/amd64 GitLab information Version: 10.7.1 Revision: d4fcc8a Directory: /home/git/gitlab DB Adapter: postgresql URL: https://redval.sytes.net/gitlab/ HTTP Clone URL: https: //redval.sytes.net/gitlab/some-group/some-project.git SSH Clone URL: g...@redval.sytes.net:some-group/some-project.git Using LDAP: no Using Omniauth: no GitLab Shell Version: 7.1.2 Repository storage paths: - default: /home/git/repositories Hooks: /home/git/gitlab-shell/hooks Git: /usr/local/bin/git Output of check sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production Checking GitLab Shell ... GitLab Shell version >= 7.1.2 ? ... OK (7.1.2) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... reda / trying ... repository is empty Running /home/git/gitlab-shell/bin/check Check GitLab API access: /home/git/gitlab-shell/lib/gitlab_net.rb:233:in `add_file': system lib (OpenSSL::X509::StoreError) from /home/git/gitlab-shell/lib/gitlab_net.rb:233:in `cert_store' from /home/git/gitlab-shell/lib/gitlab_net.rb:166:in `http_client_for' from /home/git/gitlab-shell/lib/gitlab_net.rb:197:in `request' from /home/git/gitlab-shell/lib/gitlab_net.rb:220:in `get' from /home/git/gitlab-shell/lib/gitlab_net.rb:92:in `check' from /home/git/gitlab-shell/bin/check:12:in `<main>' gitlab-shell self-check failed Try fixing it: Make sure GitLab is running; Check the gitlab-shell configuration file: sudo -u git -H editor /home/git/gitlab-shell/config.yml Please fix the error above and rerun the checks. Checking GitLab Shell ... Finished Checking Sidekiq ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Reply by email is disabled in config/gitlab.yml Checking LDAP ... LDAP is disabled in config/gitlab.yml Checking LDAP ... Finished Checking GitLab ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Init script exists? ... yes Init script up-to-date? ... yes Projects have namespace: ... reda / trying ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.3.7) Git version >= 2.9.5 ? ... yes (2.9.5) Git user has default SSH configuration? ... yes Active users: ... 2 Checking GitLab ... Finished config files are attached. If I have to supply any more information please let me know. -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/aa65bac7-3c2a-49a6-b634-e99fadb3d834%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
gitlab.yml
Description: Binary data
gitlab-shell-config.yml
Description: Binary data
## GitLab ## ## Modified from nginx http version ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ## ## Lines starting with two hashes (##) are comments with information. ## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################## ## CONTRIBUTING ## ################################## ## ## If you change this file in a Merge Request, please also create ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests ## ################################### ## configuration ## ################################### ## ## See installation.md#using-https for additional HTTPS configuration details. upstream gitlab-workhorse { # Gitlab socket file, # for Omnibus this would be: unix:/var/opt/gitlab/gitlab-workhorse/socket server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0; } map $http_upgrade $connection_upgrade_gitlab_ssl { default upgrade; '' close; } ## NGINX 'combined' log format with filtered query strings log_format gitlab_ssl_access $remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"; ## Remove private_token from the request URI # In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&... map $request_uri $gitlab_ssl_temp_request_uri_1 { default $request_uri; ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest"; } ## Remove authenticity_token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&... map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 { default $gitlab_ssl_temp_request_uri_1; ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest"; } ## Remove rss_token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&... map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri { default $gitlab_ssl_temp_request_uri_2; ~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest"; } ## A version of the referer without the query string map $http_referer $gitlab_ssl_filtered_http_referer { default $http_referer; ~^(?<temp>.*)\? $temp; } ## Redirects all HTTP traffic to the HTTPS host server { ## Either remove "default_server" from the listen line below, ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab ## to be served if you visit any address that your server responds to, eg. ## the ip address of the server (http://x.x.x.x/) listen 80; listen [::]:80 ipv6only=on default_server; server_name host-001; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$http_host$request_uri; access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; } ## HTTPS host server { listen 443 ssl; listen [::]:443 ipv6only=on ssl default_server; server_name host-001; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ ssl on; ssl_certificate /etc/letsencrypt/live/redval.sytes.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/redval.sytes.net/privkey.pem; # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ## See app/controllers/application_controller.rb for headers set ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## Replace with your ssl_trusted_certificate. For more info see: ## - https://medium.com/devops-programming/4445f4862461 ## - https://www.ruby-forum.com/topic/4419319 ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx # ssl_stapling on; # ssl_stapling_verify on; # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired # resolver_timeout 5s; ## [Optional] Generate a stronger DHE parameter: ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 ## # ssl_dhparam /etc/ssl/certs/dhparam.pem; ## [Optional] Enable HTTP Strict Transport Security # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; ## Real IP Module Config ## http://nginx.org/en/docs/http/ngx_http_realip_module.html real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol real_ip_recursive off; ## If you enable 'on' ## If you have a trusted IP address, uncomment it and set it # set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24 ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; location / { client_max_body_size 0; gzip off; ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab_ssl; proxy_pass http://gitlab-workhorse; } error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; error_page 503 /503.html; location ~ ^/(404|422|500|502|503)\.html$ { # Location to the Gitlab's public directory, # for Omnibus this would be: /opt/gitlab/embedded/service/gitlab-rails/public root /home/git/gitlab/public; internal; } }
