How do I use let’s encrypt with gitlab?

Question

I started to look in to ssl certificates when I stumbled upon let\'s encrypt, and I wanted to use it with gitlab, however being that it is running on a raspberry pi 2 and its ru

Answer 1

There are 2 ways depending on your infrastructure setup (Raspi, big Cloud server or something in between):

1. If you have an externally accessible Server (means your Gitlab host is callable from the Let´s Encrypt servers, which is needed for Let´s Encrypt´s automatic mechanism of verifying that you "own" a certain domain like gitlab.yoursite.com and the corresponding and DNS resolved server/host) the only thing needed (from Gitlab version 10.7 on) is to add an s to the http in your Gitlab URL configuration in /etc/gitlab/gitlab.rb (as marcolz already mentioned):

   external_url 'https://gitlab.yoursite.com'

From the docs in https://docs.gitlab.com/omnibus/settings/ssl.html#let-39-s-encrypt-integration:

Omnibus-gitlab can automatically fetch and renew certificates from Let's Encrypt for you.

2. If your Gitlab host is not externally accessible by the Let´s Encrypt servers, the whole process is much harder! You´ll then leave the nice automatic way of letting Gitlab Omnibus do the heavy lifting for you. You definitely need to fetch the Let´s Encrypt certificates on your own now! There are some ways to fetch Let´s Encrypt certificates without the need for an externally accessible server.

   The one I choose and would recommend is to use the alternative Let´s Encrypt client dehydrated together with the dns-lexicon to fully automate the process of obtaining the certificates together with the Let´s Encrypt dns-challenge, which was introduced somewhere in 2016. This is the only way, where you don´t need an externally accessible server - but you again need to "own" a certain domain like gitlab.yoursite.com AND you need API access to the DNS provider, which hosts your domain (here´s a list of supported DNS providers in that case).

   As the whole process is quite complex I created a fully comprehensible Ansible playbook prepare-gitlab.yml where every step of the Gitlab installation with Omnibus is handled for you (full GitHub sources are available here: https://github.com/jonashackt/gitlab-ci-stack).

   If you only want to create the Let´s Encrypt certificates, have a look into obtain-letsencrypt-certs-dehydrated-lexicon.yml - even if you don´t want to use Ansible, you can also manually reproduce every step on the console or use another automation tool like Chef or Saltstack (although I can´t recommend that personally). Another way would be to have a look onto this great blogpost from the lexicon guys: https://blog.thesparktree.com/generating-intranet-and-private-network-ssl, from those described steps I basically developed the playbook from.

   Either way you choose, don´t forget to copy the manually (or automatically) fetched Let´s Encrypt certificates from

   /srv/dehydrated/certs/{{ gitlab_domain }}/fullchain.pem

   to

   /etc/gitlab/ssl/{{ gitlab_domain }}.crt

   and

   /srv/dehydrated/certs/{{ gitlab_domain }}/privkey.pem

   to

   /etc/gitlab/ssl/{{ gitlab_domain }}.key

   Gitlab will pick them up from there automatically for you, as the docs state in the way to manually configure HTTPS

Answer 2

You need to install the generated certificates manually in /etc/gitlab/ssl and set the external url to https in /etc/gitlab/gitlab.rb as described in: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md

I prefer to use symlinks, so you dont need to copy the certificates. enter link description here

Answer 3

I have no idea if the installation differs on a Raspberry Pi. Let's Encrypt installation process does some magic I don't know anything about.

Prepare Gitlab

Type grep 'external_url' /etc/gitlab/gitlab.rb to check the website name. As an example https://gitlab.example.com:50000

If your external URL does not start with https, change it to begin with https

The part in bold will be your <your domain name>

Generate the certificates

Follow the Let's Encrypt install instructions on this link: https://letsencrypt.org/howitworks/

I'm not copying the instructions since they may change (as the program is in open beta right now). What you have to run depends on whether you also have websites running on Apache you want to generate Let's Encrypt certs for.

Once you have generated your Let's Encrypt certificates, they are located in /etc/letsencrypt/live/<your domain name>/

Copy the certificates

Gitlab expects two files located in /etc/gitlab/ssl/

There's something I'm not sure about, you may have to convert the .pem certificates using the answer at this location: Convert .pem to .crt and .key

Copy the certificate from /etc/letsencrypt/live/<your domain name>/cert.pem to /etc/gitlab/ssl/<your domain name>.crt

Copy the private key from /etc/letsencrypt/live/<your domain name>/privkey.pem to /etc/gitlab/ssl/<your domain name>.key

Reconfigure

Run gitlab-ctl reconfigure

Answer 4

You need to install the generated certificates manually in /etc/gitlab/ssl and set the external url to https in /etc/gitlab/gitlab.rb as described in: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md

Answer 5

In case it's helpful to anybody else, I wrote up the process I used here: http://kelan.io/2016/using-lets-encrypt-to-add-ssl-to-gitlab/

I had set up GitLab previous (via install from source), and was just trying to add SSL, using Let's Encrypt.

The key points are:

• Use the standalone mode of letsencrypt
• Make a copy of the certs readable by gitlab-shell

Answer 6

The by far best solution I was able to find for now is described in this blog post. I won't recite everything, but the key points are:

• Use the webroot authenticator for Let's Encrypt
• Create the folder /var/www/letsencrypt and use this directory as webroot-path for Let's Encrypt

• Change the following config values in /etc/gitlab/gitlab.rb and run gitlab-ctl reconfigure after that:

  nginx['redirect_http_to_https'] = true
  nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
  nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
  nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
  

• If you are using Mattermost which is shipped with the Omnibus package then you can additionally set these options in /etc/gitlab/gitlab.rb:

  mattermost_nginx['redirect_http_to_https'] = true
  mattermost_nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
  mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
  mattermost_nginx['custom_gitlab_mattermost_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
  

• After requesting your first certificate remember to change the external_url to https://... and again run gitlab-ctl reconfigure

This method is very elegant since it just mounts the directory /var/www/letsencrypt/.well-known used by the Let's Encrypt authenticator into the Gitlab web-root via a custom Nginx configuration and authentication is always possible when Gitlab is running. This means that you can automatically renew the Let's Encrypt certificates.