How to Configure Let’s Encrypt Certificate for GitLab Server

  • Post author:
  • Post category:Linux
  • Post last modified:July 4, 2023

Let’s Encrypt is a free, automated, and open certificate authority that provides SSL/TLS certificates for websites. By using Let’s Encrypt, you can secure your GitLab server and enable HTTPS access for your users. In this blog post, we will guide you through the process of configuring a Let’s Encrypt certificate for your GitLab server in simple and easy-to-understand steps.

Let' Encrypt Certificate for Gitlab

Let’s Encrypt certificate for a GitLab server

To configure Let’s Encrypt certificate for a GitLab server on DigitalOcean, you need to follow these general steps:

  • Set up a Domain Name:

Before we start, you need to have a domain name that points to your GitLab server’s IP address. For example, I will use gitlab.example.com as my domain name. You also need to have GitLab installed and running on your server.

  • Connect to Gitlab Server:

Connect to your GitLab server using SSH. You can use a terminal application like ssh or tools like PuTTY (on Windows).

  • Install Certbot:

Certbot is a widely used Let’s Encrypt client that automates the certificate issuance and renewal process. First, Install Certbot on your server by following the instructions.

First, add the repository:

$ sudo add-apt-repository ppa:certbot/certbot

You’ll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository’s package information:

$ sudo apt-get update

And finally, install Certbot with apt-get:

$ sudo apt-get install certbot

Let’s Encrypt Web Root Domain Verification:

There are multiple methods of proving domain ownership, each of which require root or administrator access to the server. GitLab contains an internally managed Nginx web server for serving the application itself. This makes the installation rather self-contained, but it does add an additional layer of complexity when attempting to modify the web server itself.

To set up web root domain validation for GitLab, our first step will be to create a dummy document root:

$ sudo mkdir -p /var/www/letsencrypt

Next, we need to adjust GitLab’s Nginx configuration to use this directory. Open up the main GitLab configuration file by typing:

$ sudo nano /etc/gitlab/gitlab.rb

Inside, past the following text to add a line that will inject a custom directive into GitLab’s Nginx configuration file.

nginx

Next, apply the changes to GitLab’s Nginx configuration by reconfiguring the application again:

$ sudo gitlab-ctl reconfigure

Request a Certificate with Certbot

Run the following command to obtain a Let’s Encrypt certificate using Certbot. You need choose the web root authenticator (--webroot), pass in the document root (--webroot-path=/var/www/letsencrypt), and use the -d command to pass our domain name:

Add domain to Let's

You will also be prompted to accept the Let’s Encrypt terms of service. Once you are finished, Let’s Encrypt should issue you a certificate for the domain if it was able to correctly validate ownership. You should see output that looks similar to this:

Cerbot output

You can find all of the certificates and keys that were created by looking at the /etc/letsencrypt/live/your_domain directory with sudo privileges:

Very domain with Let's Encrypt
Let's Encrypt Certificate verification output

Configure GitLab to use the Certificate:

Configure Let’s Encrypt Certificate for GitLab Server Depending upon the Gitlab version we can configure GitLab to use TLS/SSL for all of its traffic.

  • Edit the GitLab configuration

$ sudo nano /etc/gitlab/gitlab.rb

Look for the external_url configuration directive and update it to use HTTPS and point to your GitLab domain:

Gitlab external URL

Next, scroll back down to the GitLab Nginx section. Uncomment and modify, or simply add, the following lines.

Gitlab Nginx configuration for Let's Encrypt

Save the file Pressing Ctl + X and close the file when you are finished.

Also, add the following lines to configure GitLab to use the Let’s Encrypt certificate:

Enable Configuration for Let' Encrypt in Gitlab.rb

Save the changes and exit the editor.

  • Reconfigure GitLab

Now, Run the following command to reconfigure GitLab and apply the changes.

$ sudo gitlab-ctl reconfigure

GitLab will reload its configuration and start using the Let’s Encrypt certificate.

  • Set up certificate Auto Renewal:

Let’s Encrypt certificates are valid for a limited period, typically 90 days. To automate the renewal process, you can set up a cron job that runs Certbot’s renewal command periodically.

Now, Run the following command to open the cron configuration file.

$ crontab -e

To test the renewal process, you can do a dry run with certbot

$ sudo certbot renew –dry-run

Conclusion:

Your GitLab server should now be configured with a Let’s Encrypt certificate. Accessing https://gitlab.example.com should show the GitLab interface over a secure HTTPS connection. Remember to replace gitlab.example.com with your actual domain name.

Read More Topics

Let’s Encrypt Certificates: Enhancing Web Security Made Simple.

Leave a Reply