Skip to content

GitHub Enterprise Server

Jump to bottom
emmanuelknafo edited this page May 21, 2025 · 51 revisions

Trial

image

Prerequisites

  1. need 64GB of RAM in hyper-v
image

Test

  1. try https://github.devopsabcs.com image
  2. will take a very long time image

Create admin account

  1. again image
  2. then image

set up first org

  1. such as image

create your first repo

  1. as image

Check out pre-created artifacts

  1. such as orgs image
  2. standard actions source code image

security actions

  1. in the other organization image

GitHub Connect

  1. to connect onprem to GEC image

Storage

On Prem

  1. disks image

In the cloud

  1. on azure storage image
  2. packages will be stored here: image

Install Runners

  1. on windows image
  2. register the runner image

Troubleshooting

fatal: unable to access 'https://github.devopsabcs.com/devopsabcs-ges/first-on-prem-repo/': SSL certificate problem: self-signed certificate

image

ssh to management console

  1. as
ssh -p 122 admin@github.devopsabcs.com

image

  1. should work image
  2. can try https://docs.github.com/en/enterprise-server@3.17/admin/configuring-settings/hardening-security-for-your-enterprise/configuring-tls

request letsencrypt cert

  1. may need to fix firewall image
  2. request tls cert image

cert trust issue now resolved

  1. like with Digicert image

pipelines should now be green

  1. pipes now green image
  2. all later runs are green image

letsencrypt cert

  1. as seen in management console image

multi-san needed for packages

https://docs.github.com/en/enterprise-server@3.17/packages/quickstart https://community.letsencrypt.org/t/hostname-ip-does-not-match-certificates-altnames/210780

DNS challenge for Letsencrypt wildcard cert

To create a Let's Encrypt wildcard certificate, you’ll need to use the DNS-01 challenge method, which proves domain ownership by adding a specific DNS record. Here's a step-by-step guide tailored to your role as a Senior Cloud Solution Architect, incorporating both internal resources and best practices from the web:

✅ Internal Guidance

From internal documentation like Creating wildcard certificates 1, the process typically involves:

  1. Using Certbot with DNS Plugins:

    • For AWS Route 53, the command might look like: 
      sudo certbot certonly \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --dns-route53 \
  -d "*.yourdomain.com"
    • This command requests a wildcard certificate for *.yourdomain.com using the DNS-01 challenge via Route 53.

  2. Certificate Storage:

    • Certificates are stored under /etc/letsencrypt/archive/yourdomain.com/.
    • You can copy them out using: 
      sudo cp -r /etc/letsencrypt/archive/yourdomain.com ./certs

  3. Wildcard Scope:

    • Wildcard certificates only cover one subdomain level (e.g., *.example.com covers app.example.com but not api.dev.example.com).

🌐 Web-Based Best Practices

According to [DigitalOcean's tutorial](https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot) [2](https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot):

  1. DNS Setup:

    • Ensure a wildcard DNS record exists: 
      *.example.com. 3600 IN A 203.0.113.1

  2. Install Certbot:

    • On Ubuntu: 
      sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

  3. Run Certbot with DNS Plugin:

    • For manual DNS: 
      sudo certbot -d "*.example.com" --manual --preferred-challenges dns certonly

In our case what works

sudo certbot certonly --manual --preferred-challenges dns --key-type rsa -d github.devopsabcs.com -d "*.github.devopsabcs.com"

image

  • You’ll be prompted to add a TXT record to your DNS.

image

  1. Automation:
    • For production, automate renewals using DNS plugins or scripts (e.g., certbot-dns-route53, certbot-dns-cloudflare, or posh-ACME for PowerShell).

It Works

the cert image

SAN with wildcard image

Try package pipeline again

image

getting 403 but no cert issue

npm notice
npm notice package: second-repo@1.0.0
npm notice Tarball Contents
npm notice 1.2kB .github/workflows/ci.yml
npm notice 797B .github/workflows/release-package.yml
npm notice 13B README.md
npm notice 31B index.js
npm notice 450B package.json
npm notice Tarball Details
npm notice name: second-repo
npm notice version: 1.0.0
npm notice filename: second-repo-1.0.0.tgz
npm notice package size: 1.3 kB
npm notice unpacked size: 2.5 kB
npm notice shasum: b461c6fd93[8](https://github.devopsabcs.com/devopsabcs-ges/second-repo/actions/runs/23/job/36#step:5:9)b5b362c295a0700faf1f788d4a9ea
npm notice integrity: sha512-PieLJoTBExHK4[...]hkDAxKURXJ/Hw==
npm notice total files: 5
npm notice
npm notice Publishing to https://npm.github.devopsabcs.com/ with tag latest and default access
npm error code E403
npm error 403 403 Forbidden - PUT https://github.devopsabcs.com/login?return_to=https%3A%2F%2Fgithub.devopsabcs.com%2Fsecond-repo
npm error 403 In most cases, you or one of your dependencies are requesting
npm error 403 a package version that is forbidden by your security policy, or
npm error 403 on a server you do not have access to.
npm error A complete log of this run can be found in: C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\npm-cache\_logs\2025-05-20T20_23_43_[12](https://github.devopsabcs.com/devopsabcs-ges/second-repo/actions/runs/23/job/36#step:5:13)5Z-debug-0.log
Error: Process completed with exit code 1.
0s

image

doc can be found here: https://docs.github.com/en/enterprise-server@3.17/admin/configuring-packages/getting-started-with-github-packages-for-your-enterprise

All depends on subdomain isolation

https://docs.github.com/en/enterprise-server@3.16/packages/working-with-a-github-packages-registry/working-with-the-npm-registry

We have it off: image

  1. now we
npm login --scope=@devopsabcs-ges --auth-type=legacy --registry=https://github.devopsabcs.com/_registry/npm/

image

First successful package pushed

nuget

dotnet nuget push .\bin\Release\dotnet-project.1.0.0.nupkg --source "github"

image

image

image

finally see it in azure storage image image

Enable Subdomain Isolation

Equipped with * certificate we will check image

works like a charm with local repo and cross repo

image image

Push to GitHub Docker Registry

works!! image

Here are the docker images

In Azure Storage! image

Clone this wiki locally