How do I use let’s encrypt with gitlab?

ssl-certificate gitlab raspbian gitlab-omnibus lets-encrypt
chabad360 picture chabad360 · Dec 9, 2015 · Viewed 29.2k times · Source

I started to look in to ssl certificates when I stumbled upon let's encrypt, and I wanted to use it with gitlab, however being that it is running on a raspberry pi 2 and its running quite perfectly now (so I dont want to mess anything up), he would I go about installing a lets encrypt ssl certificate properly? PS: My installation is omnibus

Answer

rkallensee picture rkallensee · Dec 31, 2015

The by far best solution I was able to find for now is described in this blog post. I won't recite everything, but the key points are:

  • Use the webroot authenticator for Let's Encrypt
  • Create the folder /var/www/letsencrypt and use this directory as webroot-path for Let's Encrypt

  • Change the following config values in /etc/gitlab/gitlab.rb and run gitlab-ctl reconfigure after that:

    nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"

  • If you are using Mattermost which is shipped with the Omnibus package then you can additionally set these options in /etc/gitlab/gitlab.rb:

    mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
mattermost_nginx['custom_gitlab_mattermost_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"

  • After requesting your first certificate remember to change the external_url to https://... and again run gitlab-ctl reconfigure

This method is very elegant since it just mounts the directory /var/www/letsencrypt/.well-known used by the Let's Encrypt authenticator into the Gitlab web-root via a custom Nginx configuration and authentication is always possible when Gitlab is running. This means that you can automatically renew the Let's Encrypt certificates.

Related questions

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I can push by clone project using ssh, but it doesn't work when I clone project with https. The error message that shows me is: server certificate verification failed. CAfile: /etc/ssl/certs/cacertificates.crt CRLfile: none

Read More
How to create a self-signed certificate with OpenSSL

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps: openssl req -new > cert.csr openssl rsa -in privkey.pem -out key.pem openssl x509 -in cert.csr -out …

Read More
How to create .pfx file from certificate and private key?

I need .pfx file to install https on website on IIS. I have two separate files: certificate (.cer or pem) and private key (.crt) but IIS accepts only .pfx files. I obviously installed certificate and it is available in certificate …

Read More