Gitlab SSL with Let’s Encrypt

letsencrypt-logo-largeWell, Let’s Encrypt went live from Dec 2015, so why don’t we utilize it for free SSL certificates? Since it only valid for 3 months, we can simply run the script monthly to check and renew the certificate. Detail steps for configuring Gitlab SSL with Let’s Encrypt are as follows:

  1. First, install gitlab as the guide HERE.
  2. Clone and install let’s encrypt auto script:
    [bash][[email protected]]# git clone https://github.com/certbot/certbot
    [[email protected]]# cd certbot
    [[email protected]]# ./certbot[/bash]

  3. Use let's encrypt to generate the certificate cho git domain (git.yourdomain.com):
    [bash][[email protected] letsencrypt]# ./certbot certonly --webroot -w /opt/gitlab/embedded/service/gitlab-rails/public -d git.yourdomain.com[/bash]

  4. Change the following gitlab config in /etc/gitlab/gitlab.rb (change git.yourdomain.com to your domain name):

    [bash]external_url 'https://git.yourdomain.com'
    nginx['ssl_certificate'] = "/etc/letsencrypt/live/git.yourdomain.com/fullchain.pem"
    nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/git.yourdomain.com/privkey.pem"[/bash]

  5. Restart gitlab and enjoy:

    [bash]gitlab-ctl reconfigure[/bash]

  6. Setup cron to run monthly for certificate auto-renewal:
    1. First, create a configuration file for auto renewal at /root/sh-renew-letsencrypt.sh as follows:
      [bash]gitlab-ctl stop
      certbot certonly -c /etc/gitlab/letsencrypt-gitlab.ini --renew-by-default
      gitlab-ctl start[/bash]

    2. Then, setup a cron to run it monthly / bi-monthly:
      [bash][[email protected] letsencrypt]# crontab -e
      0 0 1 * * bash /root/sh-renew-letsencrypt.sh[/bash]

 

For IPv6-only hosts

Currently, Let's Encrypt is considering to support IPv6-only host, and it is an exciting news. The request was posted at https://community.letsencrypt.org/t/support-for-ipv6-only-hosts/354/43.

For IPv6-only hosts, we can change the following line in /etc/gitlab/gitlab.rb and gitlab can listen on IPv6 seamlessly:

[bash]nginx['listen_addresses'] = ['*', '[::]'][/bash]

For Nginx server only

Refer to the guide at https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/

Leave a Reply