Skip to content

GitHub Enterprise Server

Jump to bottom
emmanuelknafo edited this page May 20, 2025 · 51 revisions

Trial

image

Prerequisites

  1. need 64GB of RAM in hyper-v
image

Test

  1. try https://github.devopsabcs.com image
  2. will take a very long time image

Create admin account

  1. again image
  2. then image

set up first org

  1. such as image

create your first repo

  1. as image

Check out pre-created artifacts

  1. such as orgs image
  2. standard actions source code image

security actions

  1. in the other organization image

GitHub Connect

  1. to connect onprem to GEC image

Storage

On Prem

  1. disks image

In the cloud

  1. on azure storage image
  2. packages will be stored here: image

Install Runners

  1. on windows image
  2. register the runner image

Troubleshooting

fatal: unable to access 'https://github.devopsabcs.com/devopsabcs-ges/first-on-prem-repo/': SSL certificate problem: self-signed certificate

image

ssh to management console

  1. as
ssh -p 122 admin@github.devopsabcs.com

image

  1. should work image
  2. can try https://docs.github.com/en/enterprise-server@3.17/admin/configuring-settings/hardening-security-for-your-enterprise/configuring-tls

request letsencrypt cert

  1. may need to fix firewall image
  2. request tls cert image

cert trust issue now resolved

  1. like with Digicert image

pipelines should now be green

  1. pipes now green image
  2. all later runs are green image

letsencrypt cert

  1. as seen in management console image

multi-san needed for packages

https://docs.github.com/en/enterprise-server@3.17/packages/quickstart https://community.letsencrypt.org/t/hostname-ip-does-not-match-certificates-altnames/210780

DNS challenge for Letsencrypt wildcard cert

To create a Let's Encrypt wildcard certificate, you’ll need to use the DNS-01 challenge method, which proves domain ownership by adding a specific DNS record. Here's a step-by-step guide tailored to your role as a Senior Cloud Solution Architect, incorporating both internal resources and best practices from the web:

✅ Internal Guidance

From internal documentation like Creating wildcard certificates 1, the process typically involves:

  1. Using Certbot with DNS Plugins:

    • For AWS Route 53, the command might look like: 
      sudo certbot certonly \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --dns-route53 \
  -d "*.yourdomain.com"
    • This command requests a wildcard certificate for *.yourdomain.com using the DNS-01 challenge via Route 53.

  2. Certificate Storage:

    • Certificates are stored under /etc/letsencrypt/archive/yourdomain.com/.
    • You can copy them out using: 
      sudo cp -r /etc/letsencrypt/archive/yourdomain.com ./certs

  3. Wildcard Scope:

    • Wildcard certificates only cover one subdomain level (e.g., *.example.com covers app.example.com but not api.dev.example.com).

🌐 Web-Based Best Practices

According to [DigitalOcean's tutorial](https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot) [2](https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot):

  1. DNS Setup:

    • Ensure a wildcard DNS record exists: 
      *.example.com. 3600 IN A 203.0.113.1

  2. Install Certbot:

    • On Ubuntu: 
      sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

  3. Run Certbot with DNS Plugin:

    • For manual DNS: 
      sudo certbot -d "*.example.com" --manual --preferred-challenges dns certonly

In our case what works

sudo certbot certonly --manual --preferred-challenges dns --key-type rsa -d github.devopsabcs.com -d "*.github.devopsabcs.com"

image

  • You’ll be prompted to add a TXT record to your DNS.

image

  1. Automation:
    • For production, automate renewals using DNS plugins or scripts (e.g., certbot-dns-route53, certbot-dns-cloudflare, or posh-ACME for PowerShell).

It Works

the cert image

SAN with wildcard image

Clone this wiki locally