Last week we talked about having HTTPS with Let’s Encrypt. Today we are going to apply it for GitLab instances.
It needs some other operations than for a simple Rails application. But if you didn’t read our previous article, you may need to read it first.

Prepare GitLab configuration

First, we need to create an empty directory.

$ mkdir -p /var/www/letsencrypt

Then we update GitLab configuration to route /.well-know requests to the /var/www/letsencrypt folder (it’s used by Let’s Encrypt to check if the domain is really our).

# /etc/gitlab/gitlab.rb

external_url "http://gitlab.domain.tld"

nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }"

# ...

# If you want Mattermost to be activated.
mattermost_external_url "http://mattermost.domain.tld"

mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }"

# ...

# If you want the Docker registry to be activated.
registry_external_url "http://registry.domain.tld"

Don’t forget to reconfigure GitLab to have the configuration applied.

$ gitlab-ctl reconfigure

Certificates generation

Now, like for a normal website we need to generate certificates. We have to reload Nginx but GitLab uses an embedded binary of it. So we are forced to use gitlab-ctl, which only gives us access to the restart method.

$ certbot certonly --webroot \
	--webroot-path /var/www/letsencrypt \
	--keep-until-expiring \
	--email email@domain.tld \
	--agree-tos \
	--non-interactive \
	-d gitlab.domain.tld \
	-d mattermost.domain.tld \
	-d registry.domain.tld \
	--rsa-key-size 4096 \
	--post-hook "/usr/bin/gitlab-ctl restart nginx"

Finalise GitLab configuration

We now have to update the GitLab configuration to use our fresh generated certificates. And redirect http requests to https.

# /etc/gitlab/gitlab.rb

external_url "https://gitlab.domain.tld"

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"

# ...

# If you use Mattermost.
mattermost_external_url "https://mattermost.domain.tld"

mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"

# ...

# If you use the Docker registry.
registry_external_url "https://registry.domain.tld"

registry_nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"

Then reconfigure GitLab.

$ gitlab-ctl reconfigure

And the job is done!

Certificate expiration?

Nothing to do as we explained it in our previous article.


Enjoy HTTPS on your GitLab instance with free certificates :)

Edit 2017-11-21: Update gitlab nginx configuration.