Gitlab SSL with Let’s Encrypt

letsencrypt-logo-largeWell, Let’s Encrypt went live from Dec 2015, so why don’t we utilize it for free SSL certificates? Since it only valid for 3 months, we can simply run the script monthly to check and renew the certificate. Detail steps for configuring Gitlab SSL with Let’s Encrypt are as follows:

  1. First, install gitlab as the guide HERE.
  2. Clone and install let’s encrypt auto script:
    [bash][root@git]# git clone
    [root@git]# cd certbot
    [root@git]# ./certbot[/bash]

  3. Use let's encrypt to generate the certificate cho git domain (
    [bash][root@git letsencrypt]# ./certbot certonly --webroot -w /opt/gitlab/embedded/service/gitlab-rails/public -d[/bash]

  4. Change the following gitlab config in /etc/gitlab/gitlab.rb (change to your domain name):

    [bash]external_url ''
    nginx['ssl_certificate'] = "/etc/letsencrypt/live/"
    nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/"[/bash]

  5. Restart gitlab and enjoy:

    [bash]gitlab-ctl reconfigure[/bash]

  6. Setup cron to run monthly for certificate auto-renewal:
    1. First, create a configuration file for auto renewal at /root/ as follows:
      [bash]gitlab-ctl stop
      certbot certonly -c /etc/gitlab/letsencrypt-gitlab.ini --renew-by-default
      gitlab-ctl start[/bash]

    2. Then, setup a cron to run it monthly / bi-monthly:
      [bash][root@git letsencrypt]# crontab -e
      0 0 1 * * bash /root/[/bash]


For IPv6-only hosts

Currently, Let's Encrypt is considering to support IPv6-only host, and it is an exciting news. The request was posted at

For IPv6-only hosts, we can change the following line in /etc/gitlab/gitlab.rb and gitlab can listen on IPv6 seamlessly:

[bash]nginx['listen_addresses'] = ['*', '[::]'][/bash]

For Nginx server only

Refer to the guide at

About NhocConan

A super lazy guy who tries to write tech blog entries in English.He is lazy, so he can only write when he is in a good mood or when he is tired of coding.

Leave a comment

Your email address will not be published. Required fields are marked *