Well, Let’s Encrypt went live from Dec 2015, so why don’t we utilize it for free SSL certificates? Since it only valid for 3 months, we can simply run the script monthly to check and renew the certificate. Detail steps for configuring Gitlab SSL with Let’s Encrypt are as follows:
- First, install gitlab as the guide HERE.
- Clone and install let’s encrypt auto script:
[bash][root@git]# git clone https://github.com/certbot/certbot
[root@git]# cd certbot
[root@git]# ./certbot[/bash] - Use let's encrypt to generate the certificate cho git domain (git.yourdomain.com):
[bash][root@git letsencrypt]# ./certbot certonly --webroot -w /opt/gitlab/embedded/service/gitlab-rails/public -d git.yourdomain.com[/bash]
- Change the following gitlab config in /etc/gitlab/gitlab.rb (change git.yourdomain.com to your domain name):
[bash]external_url 'https://git.yourdomain.com'
nginx['ssl_certificate'] = "/etc/letsencrypt/live/git.yourdomain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/git.yourdomain.com/privkey.pem"[/bash] - Restart gitlab and enjoy:
[bash]gitlab-ctl reconfigure[/bash]
- Setup cron to run monthly for certificate auto-renewal:
- First, create a configuration file for auto renewal at /root/sh-renew-letsencrypt.sh as follows:
[bash]gitlab-ctl stop
certbot certonly -c /etc/gitlab/letsencrypt-gitlab.ini --renew-by-default
gitlab-ctl start[/bash] - Then, setup a cron to run it monthly / bi-monthly:
[bash][root@git letsencrypt]# crontab -e
0 0 1 * * bash /root/sh-renew-letsencrypt.sh[/bash]
- First, create a configuration file for auto renewal at /root/sh-renew-letsencrypt.sh as follows:
For IPv6-only hosts
Currently, Let's Encrypt is considering to support IPv6-only host, and it is an exciting news. The request was posted at https://community.letsencrypt.org/t/support-for-ipv6-only-hosts/354/43.
For IPv6-only hosts, we can change the following line in /etc/gitlab/gitlab.rb and gitlab can listen on IPv6 seamlessly:
[bash]nginx['listen_addresses'] = ['*', '[::]'][/bash]
For Nginx server only
Refer to the guide at https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/