Setting up gitlab with free SSL-Certs from Let's Encrypt on Ubuntu 14.04

Setup Let's Encrypt

Because we want to install some packages and run Let's Encrypt as root let's switch to our root user first.

sudo -i

To grab the latest version of Let's Encrypt we need to install git.

apt-get update && apt-get install git

Clone Let's Encrypt Client

Now we can clone the Let's Encrypt Client into our roots homefolder.

cd /root  
git clone https://github.com/letsencrypt/letsencrypt  

Create a Let's Encrypt config file

We don't want to type long configs on the commandline, so lets start with a
config file for our gitlab instance we we will install later.

mkdir letsencrypt-config  
nano letsencrypt-config/gitlab.ini  

Paste the following lines into our gitlab.ini file.

# this is the let's Encrypt config for our gitlab instance

# use the webroot authenticator. 
 authenticator = webroot
# the following path needs to be served by our webserver
# to validate our domains
 webroot-path = /var/www/letsencrypt

# generate certificates for the specified domains.
domains = gitlab.yourdomain.com

# register certs with the following email address
email = your@email.com

# use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096  

We are going to use the webroot authentication method to validate our domain specified in the config file. In this case this is gitlab.yourdomain.com.

Remeber to replace the domains with the domains you wan't to run your gitlab on.

If it doesn't exist we need to create the folder where we are going to serve our authentication files.

mkdir -p /var/www/letsencrypt

We need to provide an email adress for the certificate request. This email will be used to contact you if there are any issues with your certificate. Replace the email with your email adress.

And finaly we are setting a higher keysize to increase security.

Install gitlab

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash

apt-get install gitlab-ce  

After we installed gitlab ce we need to modify the gitlab config to suit our needs

nano /etc/gitlab/gitlab.rb

and change the follwing lines

external_url "http://gitlab.yourdomain.com/"

nginx['redirect_http_to_https'] = true

nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"

nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"  

replace your domains

we also add the following line to redirect the /.well-known folder to /var/www/letsencrypt/.well-known for our webroot authentication.

nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"  

Let's reconfigure our gitlab instance to activate the new configuration

gitlab-ctl reconfigure

Create certificates

/root/letsencrypt/letsencrypt-auto certonly -c /root/letsencrypt-config/gitlab.ini

This will install some Let's Encrypt dependencies an show you a dialog in which you have to agree to the Terms of Service of Let's Encrypt.

Then we can change our gitlab config to https://.

nano /etc/gitlab/gitlab.rb

and change externalurl "http://gitlab.yourdomain.com/" to externalurl "https://gitlab.yourdomain.com/"

Finaly we need to reconfigure gitlab to activate the new certificates and settings.

gitlab-ctl reconfigure

Auto update for certificates

Let's Encrypt certificates are valid for 90 Days only, so we are going to renew them every month by setting up a cronjob.

To setup a monthly cronjob create a file called renew-ssl-certificates in /etc/cron.monthly.

nano /etc/cron.monthly/renew-ssl-certificates

and paste in the following content.

#!/bin/bash

/root/.local/share/letsencrypt/bin/letsencrypt certonly -c /root/letsencrypt-config/gitlab.ini --renew-by-default

gitlab-ctl restart

This will renew our existing certificates and restart our gitlab instance every month. We are using the --renew-by-default flag to skip dialogs from letsencrypt-auto.

And there it is, your own gitlab instance with a valid ssl-certificate.
You can login to gitlab with username: root and password: 5iveL!fe .

Christian

Read more posts by this author.