enable HTTPS step by step #3752
Description
- Gitea version (or commit ref):
- Git version: 1.4.0
- Operating system: official docker image
- Database (use
[x]):- PostgreSQL
- MySQL
- MSSQL
- SQLite
- Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant
Description
I'd like to enable HTTPS but can't figure it out 100%
my config is
[server]
APP_DATA_PATH = /data/gitea
SSH_DOMAIN = foo.com
HTTP_PORT = 3000
ROOT_URL = https://foo.com:3000
DISABLE_SSH = false
SSH_PORT = 22
DOMAIN = foo.com
LFS_START_SERVER = true
LFS_CONTENT_PATH = /data/gitea/lfs
LFS_JWT_SECRET = ...
OFFLINE_MODE = false
PROTOCOL = https
CERT_FILE = custom/https/cert.pem
KEY_FILE = custom/https/key.pem
ENABLE_GZIP = true
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
SSL_MODE = disable
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
COOKIE_SECURE = true
setting it to
ROOT_URL = http://foo.com:3000
#PROTOCOL = https
#CERT_FILE = custom/https/cert.pem
#KEY_FILE = custom/https/key.pem
COOKIE_SECURE = false
works perfectly fine for http usage
I have got a cert.pem and key.pem file generated using openssl in the respective folders yet I get foo.com has refused the connection in chrome and safari tells me it can't create a secure connection... (to https://foo.com:3000)
The thing that concerns me is that my browsers do not even ask like „do you want to trust this...“
And docker-compose up does not report „listening on...“ which led me to believe the Server might not be starting up properly and my config could be broken.
On the other hand everything seems pretty straight forward so not sure what is going on.
used openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out cert.pem on my server where I deploy the docker image
on docker-compose up I get
server_1 | chown: unknown user/group git:git
server_1 | 2018/03/29 23:25:43 [T] AppPath: /app/gitea/gitea
server_1 | 2018/03/29 23:25:43 [T] AppWorkPath: /app/gitea
server_1 | 2018/03/29 23:25:43 [T] Custom path: /data/gitea
server_1 | 2018/03/29 23:25:43 [T] Log path: /data/gitea/log
server_1 | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
although this is roughly what I get without https, the ca-certificate seems to be an alpine linux thing
...the unknown user error, I think it comes from the fact that the user where the /gitea folder is located is not named git but it works fine for the non https case anyhow so I've not yet further gone down that road
Creating network "gitea_gitea" with the default driver
Creating gitea_server_1
Attaching to gitea_server_1
server_1 | id: unknown user git
server_1 | Mar 30 12:11:17 syslogd started: BusyBox v1.27.2
server_1 | /etc/ssh/sshd_config line 32: Deprecated option UsePrivilegeSeparation
server_1 | Mar 30 12:11:17 sshd[18]: Server listening on :: port 22.
server_1 | Mar 30 12:11:17 sshd[18]: Server listening on 0.0.0.0 port 22.
server_1 | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
server_1 | chown: unknown user/group git:git
server_1 | 2018/03/30 12:11:17 [T] AppPath: /app/gitea/gitea
server_1 | 2018/03/30 12:11:17 [T] AppWorkPath: /app/gitea
server_1 | 2018/03/30 12:11:17 [T] Custom path: /data/gitea
server_1 | 2018/03/30 12:11:17 [T] Log path: /data/gitea/log
server_1 | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
I also tried a simple golang FileServer with https and self signed certificates and it worked so it does not seem to be an issue with my browser either.
would appreciate any help! thanks