Last week we talked about having HTTPS with Let’s Encrypt. Today we are going to apply it for GitLab instances.
It needs some other operations than for a simple Rails application. But if you didn’t read our previous article, you may need to read it first.
Prepare GitLab configuration
First, we need to create an empty directory.
$ mkdir -p /var/www/letsencrypt
Then we update GitLab configuration to route /.well-know
requests to the /var/www/letsencrypt
folder (it’s used by Let’s Encrypt to check if the domain is really our).
# /etc/gitlab/gitlab.rb
external_url "http://gitlab.domain.tld"
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }"
# ...
# If you want Mattermost to be activated.
mattermost_external_url "http://mattermost.domain.tld"
mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }"
# ...
# If you want the Docker registry to be activated.
registry_external_url "http://registry.domain.tld"
Don’t forget to reconfigure GitLab to have the configuration applied.
$ gitlab-ctl reconfigure
Certificates generation
Now, like for a normal website we need to generate certificates. We have to reload Nginx but GitLab uses an embedded binary of it. So we are forced to use gitlab-ctl
, which only gives us access to the restart method.
$ certbot certonly --webroot \
--webroot-path /var/www/letsencrypt \
--keep-until-expiring \
--email email@domain.tld \
--agree-tos \
--non-interactive \
-d gitlab.domain.tld \
-d mattermost.domain.tld \
-d registry.domain.tld \
--rsa-key-size 4096 \
--post-hook "/usr/bin/gitlab-ctl restart nginx"
Finalise GitLab configuration
We now have to update the GitLab configuration to use our fresh generated certificates. And redirect http requests to https.
# /etc/gitlab/gitlab.rb
external_url "https://gitlab.domain.tld"
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"
# ...
# If you use Mattermost.
mattermost_external_url "https://mattermost.domain.tld"
mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"
# ...
# If you use the Docker registry.
registry_external_url "https://registry.domain.tld"
registry_nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"
Then reconfigure GitLab.
$ gitlab-ctl reconfigure
And the job is done!
Certificate expiration?
Nothing to do as we explained it in our previous article.
Conclusion
Enjoy HTTPS on your GitLab instance with free certificates :)
Edit 2017-11-21: Update gitlab nginx configuration.