In our earlier articles, we covered the installation of GitLab CE on Ubuntu, Debian, CentOS, and Fedora Linux distributions. In today’s article, we will see how you can secure GitLab Server with SSL Certificate. Access to GitLab will be via HTTPS protocol.
There are two scenarios we’ll consider for configuring GitLab HTTPS access:
- Secure GitLab Server with a Commercial SSL Certificate – E.g DigiCert, Comodo e.t.c
- Secure GitLab Server with Let’s Encrypt SSL Certificate
If you’re interested in doing a fresh installation of GitLab CE on your new server, these guides should come in handy:
Install Gitlab CE on Ubuntu 18.04 / Debian 9
Install Gitlab CE on CentOS 7 / Fedora 29 / Fedora 28
Secure GitLab Server with a Commercial SSL Certificate
Commercial SSL certificates is a DV (Domain Validation) trustworthy certificate supported by all popular web browsers. You’ll purchase this certificate from a trusted, commercial Certificate Authority (CA) such as Comodo, DigiCert, GeoTrust e.t.c.
After purchasing your certificate, download the Certificate file and put it with the private key to the /etc/gitlab/ssl/ directory.
/etc/gitlab/ssl/git.example.com.key /etc/gitlab/ssl/git.example.com.crt
Then configure SSL settings on your /etc/gitlab/gitlab.rb file. First, change external URL from http to https
external_url 'https://git.example.com'
Under the ## GitLab NGINX section, enable Nginx and provide SSL key and certificate paths.
nginx['enable'] = true nginx['client_max_body_size'] = '250m' nginx['redirect_http_to_https'] = true nginx['ssl_certificate'] = "/etc/gitlab/ssl/git.example.com.key" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/git.example.com.crt" nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
Other SSL settings are commented, you can read them and make changes you fit for your deployment. When done, run the following command to effect the changes:
sudo gitlab-ctl reconfigure
Wait for the command to finish executing then visit the URL https://git.example.com to Login to your GitLab dashboard.
Secure GitLab Server with Let’s Encrypt SSL Certificate
Open the file /etc/gitlab/gitlab.rband look for Let's Encrypt integration section.
Note that you need a Domain name with Valid A record pointing to your GitLab server to get a Let’s Encrypt certificate. Set your server hostname to DNS name with a valid A record:
sudo hostnamectl set-hostname git.example.com --static
The compulsory settings are:
letsencrypt['enable'] = true letsencrypt['contact_emails'] = ['[email protected]'] # This should be an array of email addresses to add as contacts letsencrypt['auto_renew'] = true
You can also specify the autorenew hour and day of the month for your certificate
letsencrypt['auto_renew_hour'] = 3 letsencrypt['auto_renew_day_of_month'] = "*/7"
When done, run the following command to effect the changes:
sudo gitlab-ctl reconfigure
Your reconfiguration should return a success for https to work on GitLab server. To validate GitLab settings, run the command:
$ sudo gitlab-rake gitlab:check Checking GitLab Shell ... GitLab Shell version >= 8.4.1 ? ... OK (8.4.1) hooks directories in repos are links: ... can't check, you have no projects Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Reply by email is disabled in config/gitlab.yml Checking LDAP ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) Checking LDAP ... Finished Checking GitLab ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... can't check, you have no projects Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.4.5) Git version >= 2.9.5 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 2 Checking GitLab ... Finished
If you need LDAP Authentication on your GitLab Server, read:
