I have explained How to Install GitLab in a Disconnected Environment in a past article. In this article you will learn how to use self-signed or custom SSL certificates to secure your GitLab servers.
You can use any of the below listed certificates depends on your environments for this method.
- Self-signed SSL certificates and key
- Custom CA signed SSL certificate and key
- Let’s Encrypt SSL certificates and key
Follow below steps to configure GitLab with custom SSL certificate.
Copy SSL Certificate and Key
Create the ssl directory if does not exist.
$ mkdir /etc/gitlab/git-ssl/
Copy custom SSL certificate and key to the /etc/gitlab/git-ssl/ directory.
root@masadmin:/etc/gitlab/git-ssl# ls -l total 12 -rw-r--r-- 1 root root 1533 Jul 9 04:32 git-cer.crt -rw-r--r-- 1 root root 1116 Jul 9 04:31 git-csr.crt -rw-r--r-- 1 root root 1704 Jul 9 04:26 git-priv.key root@masadmin:/etc/gitlab/git-ssl#
Configure /etc/gitlab/gitlab.rb
Edit /etc/gitlab/gitlab.rb file and configure below items.
nano /etc/gitlab/gitlab.rb
1. Disable Let’s Encrypt and renewal in /etc/gitlab/gitlab.rb file
letsencrypt['auto_renew'] = false
# letsencrypt['auto_renew'] = true letsencrypt['auto_renew'] = false
2. You can use any custom names or keep the file format as per GitLab configuration. In my case, I follow the GitLab file format and did not change filename or path inside configuration for SSL.
# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
nginx['ssl_certificate'] = "/etc/gitlab/git-ssl/git-cer.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/git-ssl/git-priv.key"
3. Change the external_url parameter in /etc/gitlab/gitlab.rb file (from http to https)
external_url 'https://gitlab-ce.lab.local'
Reconfigure the GitLab
Reconfigure the GitLab and wait for re-configuration to complete.
$ sudo gitlab-ctl reconfigure
root@masadmin:~# sudo gitlab-ctl reconfigure [2023-07-09T04:48:10+00:00] INFO: Started Cinc Zero at chefzero://localhost:1 with repository at /opt/gitlab/embedded (One version per cookbook) Cinc Client, version 17.10.0 Patents: https://www.chef.io/patents Infra Phase starting [2023-07-09T04:48:10+00:00] INFO: *** Cinc Client 17.10.0 *** [2023-07-09T04:48:10+00:00] INFO: Platform: x86_64-linux [2023-07-09T04:48:10+00:00] INFO: Cinc-client pid: 105916 [2023-07-09T04:48:11+00:00] INFO: Setting the run_list to ["recipe[gitlab]"] from CLI options [2023-07-09T04:48:11+00:00] INFO: Run List is [recipe[gitlab]] [2023-07-09T04:48:11+00:00] INFO: Run List expands to [gitlab] [2023-07-09T04:48:11+00:00] INFO: Starting Cinc Client Run for masadmin [2023-07-09T04:48:11+00:00] INFO: Running start handlers [2023-07-09T04:48:11+00:00] INFO: Start handlers complete. Resolving cookbooks for run list: ["gitlab"] [2023-07-09T04:48:12+00:00] INFO: Loading cookbooks [[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]] Synchronizing cookbooks: - gitlab (0.0.1) - package (0.1.0) - logrotate (0.1.0) - postgresql (0.1.0) - redis (0.1.0) - registry (0.1.0) - gitaly (0.1.0) - praefect (0.1.0) - gitlab-kas (0.1.0) - gitlab-pages (0.1.0) .... .... [2023-07-09T04:48:43+00:00] INFO: template[/var/opt/gitlab/gitlab-kas/gitlab-kas-config.yml] sending restart action to runit_service[gitlab-kas] (delayed) Recipe: gitlab-kas::enable * runit_service[gitlab-kas] action restart (up to date) [2023-07-09T04:48:54+00:00] INFO: template[/var/opt/gitlab/nginx/conf/gitlab-http.conf] sending restart action to runit_service[nginx] (delayed) Recipe: nginx::enable * runit_service[nginx] action restart (up to date) [2023-07-09T04:48:54+00:00] INFO: Cinc Client Run complete in 42.685590335 seconds Running handlers: [2023-07-09T04:48:54+00:00] INFO: Running report handlers Running handlers complete [2023-07-09T04:48:54+00:00] INFO: Report handlers complete Infra Phase complete, 8/813 resources updated in 43 seconds gitlab Reconfigured! root@masadmin:/etc/gitlab/git-ssl#
Restart GitLab to use the latest configuration
$sudo gitlab-ctl restart
root@masadmin:~# sudo gitlab-ctl status run: alertmanager: (pid 50126) 82169s; run: log: (pid 49936) 82206s run: gitaly: (pid 50049) 82178s; run: log: (pid 49238) 82316s run: gitlab-exporter: (pid 50098) 82170s; run: log: (pid 49692) 82226s run: gitlab-kas: (pid 106390) 73s; run: log: (pid 49440) 82304s run: gitlab-workhorse: (pid 50075) 82172s; run: log: (pid 49575) 82244s run: logrotate: (pid 104730) 3129s; run: log: (pid 49190) 82326s run: nginx: (pid 106404) 72s; run: log: (pid 49661) 82237s run: node-exporter: (pid 50092) 82171s; run: log: (pid 49679) 82232s run: postgres-exporter: (pid 50139) 82168s; run: log: (pid 49957) 82202s run: postgresql: (pid 49289) 82311s; run: log: (pid 49356) 82308s run: prometheus: (pid 50107) 82170s; run: log: (pid 49879) 82214s run: puma: (pid 106340) 94s; run: log: (pid 49506) 82255s run: redis: (pid 49193) 82324s; run: log: (pid 49212) 82321s run: redis-exporter: (pid 50100) 82171s; run: log: (pid 49855) 82221s run: sidekiq: (pid 106302) 103s; run: log: (pid 49535) 82250s root@masadmin:~# root@masadmin:~# sudo gitlab-ctl restart ok: run: alertmanager: (pid 106651) 0s ok: run: gitaly: (pid 106663) 0s ok: run: gitlab-exporter: (pid 106685) 0s ok: run: gitlab-kas: (pid 106695) 0s ok: run: gitlab-workhorse: (pid 106709) 0s ok: run: logrotate: (pid 106724) 1s ok: run: nginx: (pid 106730) 0s ok: run: node-exporter: (pid 106742) 1s ok: run: postgres-exporter: (pid 106748) 0s ok: run: postgresql: (pid 106757) 0s ok: run: prometheus: (pid 106766) 0s ok: run: puma: (pid 106790) 1s ok: run: redis: (pid 106795) 0s ok: run: redis-exporter: (pid 106802) 1s ok: run: sidekiq: (pid 106811) 0s root@masadmin:~#
Now verify access to from a web browser and verify the SSL certificate.
