Let’s Encrypt is a free, automated, and open certificate authority that provides SSL/TLS certificates for websites. By using Let’s Encrypt, you can secure your GitLab server and enable HTTPS access for your users. In this blog post, we will guide you through the process of configuring a Let’s Encrypt certificate for your GitLab server in simple and easy-to-understand steps.
Let’s Encrypt certificate for a GitLab server
To configure Let’s Encrypt certificate for a GitLab server on DigitalOcean, you need to follow these general steps:
- Set up a Domain Name:
Before we start, you need to have a domain name that points to your GitLab server’s IP address. For example, I will use gitlab.example.com as my domain name. You also need to have GitLab installed and running on your server.
- Connect to Gitlab Server:
Connect to your GitLab server using SSH. You can use a terminal application like ssh
or tools like PuTTY (on Windows).
- Install Certbot:
Certbot is a widely used Let’s Encrypt client that automates the certificate issuance and renewal process. First, Install Certbot on your server by following the instructions.
First, add the repository:
$ sudo add-apt-repository ppa:certbot/certbot
You’ll need to press ENTER
to accept. Afterwards, update the package list to pick up the new repository’s package information:
$ sudo apt-get update
And finally, install Certbot with apt-get
:
$ sudo apt-get install certbot
Let’s Encrypt Web Root Domain Verification:
There are multiple methods of proving domain ownership, each of which require root or administrator access to the server. GitLab contains an internally managed Nginx web server for serving the application itself. This makes the installation rather self-contained, but it does add an additional layer of complexity when attempting to modify the web server itself.
To set up web root domain validation for GitLab, our first step will be to create a dummy document root:
$ sudo mkdir -p /var/www/letsencrypt
Next, we need to adjust GitLab’s Nginx configuration to use this directory. Open up the main GitLab configuration file by typing:
$ sudo nano /etc/gitlab/gitlab.rb
Inside, past the following text to add a line that will inject a custom directive into GitLab’s Nginx configuration file.
Next, apply the changes to GitLab’s Nginx configuration by reconfiguring the application again:
$ sudo gitlab-ctl reconfigure
Request a Certificate with Certbot
Run the following command to obtain a Let’s Encrypt certificate using Certbot. You need choose the web root authenticator (--webroot
), pass in the document root (--webroot-path=/var/www/letsencrypt
), and use the -d
command to pass our domain name:
You will also be prompted to accept the Let’s Encrypt terms of service. Once you are finished, Let’s Encrypt should issue you a certificate for the domain if it was able to correctly validate ownership. You should see output that looks similar to this:
You can find all of the certificates and keys that were created by looking at the /etc/letsencrypt/live/your_domain
directory with sudo
privileges:
Configure GitLab to use the Certificate:
Configure Let’s Encrypt Certificate for GitLab Server Depending upon the Gitlab version we can configure GitLab to use TLS/SSL for all of its traffic.
- Edit the GitLab configuration
$ sudo nano /etc/gitlab/gitlab.rb
Look for the external_url
configuration directive and update it to use HTTPS and point to your GitLab domain:
Next, scroll back down to the GitLab Nginx section. Uncomment and modify, or simply add, the following lines.
Save the file Pressing Ctl + X and close the file when you are finished.
Also, add the following lines to configure GitLab to use the Let’s Encrypt certificate:
Save the changes and exit the editor.
- Reconfigure GitLab
Now, Run the following command to reconfigure GitLab and apply the changes.
$ sudo gitlab-ctl reconfigure
GitLab will reload its configuration and start using the Let’s Encrypt certificate.
- Set up certificate Auto Renewal:
Let’s Encrypt certificates are valid for a limited period, typically 90 days. To automate the renewal process, you can set up a cron job that runs Certbot’s renewal command periodically.
Now, Run the following command to open the cron configuration file.
$ crontab -e
To test the renewal process, you can do a dry run with certbot
$ sudo certbot renew –dry-run
Conclusion:
Your GitLab server should now be configured with a Let’s Encrypt certificate. Accessing https://gitlab.example.com
should show the GitLab interface over a secure HTTPS connection. Remember to replace gitlab.example.com
with your actual domain name.
Read More Topics
Let’s Encrypt Certificates: Enhancing Web Security Made Simple.