Setting up gitlab with free SSL-Certs from Let's Encrypt on Ubuntu 14.04
Setup Letâs Encrypt
Because we want to install some packages and run Letâs Encrypt as root letâs switch to our root user first.
sudo -i
To grab the latest version of Letâs Encrypt we need to install git.
apt-get update && apt-get install git
Clone Letâs Encrypt Client
Now we can clone the Letâs Encrypt Client into our roots homefolder.
cd /root
git clone https://github.com/letsencrypt/letsencrypt
Create a Letâs Encrypt config file
We donât want to type long configs on the commandline, so lets start with a config file for our gitlab instance we we will install later.
mkdir letsencrypt-config
nano letsencrypt-config/gitlab.ini
Paste the following lines into our gitlab.ini file.
# this is the let's Encrypt config for our gitlab instance
# use the webroot authenticator.
authenticator = webroot
# the following path needs to be served by our webserver
# to validate our domains
webroot-path = /var/www/letsencrypt
# generate certificates for the specified domains.
domains = gitlab.yourdomain.com
# register certs with the following email address
email = your@email.com
# use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
We are going to use the webroot authentication method to validate our domain specified in the config file. In this case this is gitlab.yourdomain.com.
Remeber to replace the domains with the domains you wanât to run your gitlab on.
If it doesnât exist we need to create the folder where we are going to serve our authentication files.
mkdir -p /var/www/letsencrypt
We need to provide an email adress for the certificate request. This email will be used to contact you if there are any issues with your certificate. Replace the email with your email adress.
And finaly we are setting a higher keysize to increase security.
Install gitlab
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
apt-get install gitlab-ce
After we installed gitlab ce we need to modify the gitlab config to suit our needs
nano /etc/gitlab/gitlab.rb
and change the follwing lines
external_url "http://gitlab.yourdomain.com/"
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
replace your domains
we also add the following line to redirect the /.well-known
folder to /var/www/letsencrypt/.well-known
for our webroot authentication.
nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
Letâs reconfigure our gitlab instance to activate the new configuration
gitlab-ctl reconfigure
Create certificates
/root/letsencrypt/letsencrypt-auto certonly -c /root/letsencrypt-config/gitlab.ini
This will install some Letâs Encrypt dependencies an show you a dialog in which you have to agree to the Terms of Service of Letâs Encrypt.
Then we can change our gitlab config to https://
.
nano /etc/gitlab/gitlab.rb
and change external_url âhttp://gitlab.yourdomain.com/â to external_url âhttps://gitlab.yourdomain.com/â
Finaly we need to reconfigure gitlab to activate the new certificates and settings.
gitlab-ctl reconfigure
Auto update for certificates
Letâs Encrypt certificates are valid for 90 Days only, so we are going to renew them every month by setting up a cronjob.
To setup a monthly cronjob create a file called renew-ssl-certificates in /etc/cron.monthly.
nano /etc/cron.monthly/renew-ssl-certificates
and paste in the following content.
#!/bin/bash
/root/.local/share/letsencrypt/bin/letsencrypt certonly -c /root/letsencrypt-config/gitlab.ini --renew-by-default
gitlab-ctl restart
This will renew our existing certificates and restart our gitlab instance every month. We are using the ârenew-by-default flag to skip dialogs from letsencrypt-auto.
And there it is, your own gitlab instance with a valid ssl-certificate. You can login to gitlab with username: root and password: 5iveL!fe .