roshkatetecson's picture

Hi,

Just want to ask how can I renew the self-signed certificate of my Turnkey Gitlab applicance. The certificate is auto-renew when I access it via LAN IP, but if I access it via its hostname, the certificate is already expired.

Using Let's Encrypt is not an option for us since we're only using it internally.

Forum: 
Jeremy Davis's picture

Hmm, that seems weird. The default self signed cert that is generated at firsboot should be valid for many years... Regardless, it should be easy to regenerate a new one.

We include a convenience script 'turnkey-make-ssl-cert'. Hopefully it's help assists you to work out what options you might like to select:

# turnkey-make-ssl-cert --help

turnkey-make-ssl-cert ver. 1.3
"Make server cert for TurnKey GNU/Linux appliance"

Usage: turnkey-make-ssl-cert [-o|--out file] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] FQDN .. [FQDN]
  Generate a certificate/key pair using the list of FQDNs.

Usage: turnkey-make-ssl-cert [-d|--default] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite]
  Generate the default certificate/key pair, cert.crt, cert.key, using the hostname.

Usage: turnkey-make-ssl-cert [-o|--out file] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] [-w|--wild] domainName .. [domainName]
  Generate a wildcard certificate for the list of domains.

Usage: turnkey-make-ssl-cert [-d|--default] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] [-r|--csr] FQDN .. [FQDN]
  Generate an optional certificate signing request for the list of FQDNs.

Usage: turnkey-make-ssl-cert [-h|--help]
  Display the help message and exit.

      Options:
      -h, --help              Display this help message and exit
      -o, --out [/path/]file  Write certificate to alternate location
      -d, --default           Generate default certificate
                                /etc/ssl/private/cert.pem
      -e, --expiry            Set certificate expiry date
                                default: 10y
      -r, --csr               Generate a certificate signing request
      -w, --wild              Generate wildcard certificate
      -t, --template file     Use alternate template file
                                default: /etc/ssl/turnkey.cnf
      -i, --ip                Optionally include host ip addresses
      -v, --verbose           Display generated certificate
      -f, --force-overwrite   Overwrite existing certificate

      NOTE: You must be the superuser to run this script.

To just regenerate the default cert that the appliance generates on firstboot:

turnkey-make-ssl-cert --default --force-overwrite

Add new comment