TienLe's Blog
Lazy Development Sharing
TienLe's Blog
Lazy Development Sharing
General

Gitlab SSL with Let’s Encrypt

by |Published

letsencrypt-logo-largeWell, Let’s Encrypt went live from Dec 2015, so why don’t we utilize it for free SSL certificates? Since it only valid for 3 months, we can simply run the script monthly to check and renew the certificate. Detail steps for configuring Gitlab SSL with Let’s Encrypt are as follows:

  1. First, install gitlab as the guide HERE.
  2. Clone and install let’s encrypt auto script: 
    [bash][root@git]# git clone https://github.com/certbot/certbot
    
[root@git]# cd certbot
    
[root@git]# ./certbot[/bash]
  3. Use let's encrypt to generate the certificate cho git domain (git.yourdomain.com): 
    [bash][root@git letsencrypt]# ./certbot certonly --webroot -w /opt/gitlab/embedded/service/gitlab-rails/public -d git.yourdomain.com[/bash]
  4. Change the following gitlab config in /etc/gitlab/gitlab.rb (change git.yourdomain.com to your domain name):

    [bash]external_url 'https://git.yourdomain.com'
    nginx['ssl_certificate'] = "/etc/letsencrypt/live/git.yourdomain.com/fullchain.pem"
    nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/git.yourdomain.com/privkey.pem"[/bash]

  5. Restart gitlab and enjoy:

    [bash]gitlab-ctl reconfigure[/bash]

  6. Setup cron to run monthly for certificate auto-renewal:
    1. First, create a configuration file for auto renewal at /root/sh-renew-letsencrypt.sh as follows: 
      [bash]gitlab-ctl stop
      
certbot certonly -c /etc/gitlab/letsencrypt-gitlab.ini --renew-by-default
      
gitlab-ctl start[/bash]
    2. Then, setup a cron to run it monthly / bi-monthly: 
      [bash][root@git letsencrypt]# crontab -e
      
0 0 1 * * bash /root/sh-renew-letsencrypt.sh[/bash]

 

For IPv6-only hosts

Currently, Let's Encrypt is considering to support IPv6-only host, and it is an exciting news. The request was posted at https://community.letsencrypt.org/t/support-for-ipv6-only-hosts/354/43.

For IPv6-only hosts, we can change the following line in /etc/gitlab/gitlab.rb and gitlab can listen on IPv6 seamlessly:

[bash]nginx['listen_addresses'] = ['*', '[::]'][/bash]

For Nginx server only

Refer to the guide at https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/

AUTHOR

Conan
A super lazy guy who tries to write tech blog entries in English.He is lazy, so he can only write when he is in a good mood or when he is tired of coding.

You may also like

Leave a comment

Your email address will not be published. Required fields are marked *