roshkatetecson's picture


Just want to ask how can I renew the self-signed certificate of my Turnkey Gitlab applicance. The certificate is auto-renew when I access it via LAN IP, but if I access it via its hostname, the certificate is already expired.

Using Let's Encrypt is not an option for us since we're only using it internally.

Jeremy Davis's picture

Hmm, that seems weird. The default self signed cert that is generated at firsboot should be valid for many years... Regardless, it should be easy to regenerate a new one.

We include a convenience script 'turnkey-make-ssl-cert'. Hopefully it's help assists you to work out what options you might like to select:

# turnkey-make-ssl-cert --help

turnkey-make-ssl-cert ver. 1.3
"Make server cert for TurnKey GNU/Linux appliance"

Usage: turnkey-make-ssl-cert [-o|--out file] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] FQDN .. [FQDN]
  Generate a certificate/key pair using the list of FQDNs.

Usage: turnkey-make-ssl-cert [-d|--default] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite]
  Generate the default certificate/key pair, cert.crt, cert.key, using the hostname.

Usage: turnkey-make-ssl-cert [-o|--out file] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] [-w|--wild] domainName .. [domainName]
  Generate a wildcard certificate for the list of domains.

Usage: turnkey-make-ssl-cert [-d|--default] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] [-r|--csr] FQDN .. [FQDN]
  Generate an optional certificate signing request for the list of FQDNs.

Usage: turnkey-make-ssl-cert [-h|--help]
  Display the help message and exit.

      -h, --help              Display this help message and exit
      -o, --out [/path/]file  Write certificate to alternate location
      -d, --default           Generate default certificate
      -e, --expiry            Set certificate expiry date
                                default: 10y
      -r, --csr               Generate a certificate signing request
      -w, --wild              Generate wildcard certificate
      -t, --template file     Use alternate template file
                                default: /etc/ssl/turnkey.cnf
      -i, --ip                Optionally include host ip addresses
      -v, --verbose           Display generated certificate
      -f, --force-overwrite   Overwrite existing certificate

      NOTE: You must be the superuser to run this script.

To just regenerate the default cert that the appliance generates on firstboot:

turnkey-make-ssl-cert --default --force-overwrite

Add new comment