(Last Updated On: December 12, 2018)

In our earlier articles, we covered the installation of GitLab CE on Ubuntu, Debian, CentOS, and Fedora Linux distributions. In today’s article, we will see how you can secure GitLab Server with SSL Certificate. Access to GitLab will be via HTTPS protocol.

There are two scenarios we’ll consider for configuring GitLab HTTPS access:

  • Secure GitLab Server with a Commercial SSL Certificate – E.g DigiCert, Comodo e.t.c
  • Secure GitLab Server with Let’s Encrypt SSL Certificate

If you’re interested in doing a fresh installation of GitLab CE on your new server, these guides should come in handy:

Install Gitlab CE on Ubuntu 18.04 / Debian 9

Install Gitlab CE on CentOS 7 / Fedora 29 / Fedora 28

Secure GitLab Server with a Commercial SSL Certificate

Commercial SSL certificates is a DV (Domain Validation) trustworthy certificate supported by all popular web browsers. You’ll purchase this certificate from a trusted, commercial Certificate Authority (CA) such as Comodo, DigiCert, GeoTrust e.t.c.

After purchasing your certificate, download the Certificate file and put it with the private key to the /etc/gitlab/ssl/ directory.

/etc/gitlab/ssl/git.example.com.key
/etc/gitlab/ssl/git.example.com.crt

Then configure SSL settings on your /etc/gitlab/gitlab.rb file. First, change external URL from http to https

external_url 'https://git.example.com'

Under the ## GitLab NGINX section, enable Nginx and provide SSL key and certificate paths.

nginx['enable'] = true
nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true

nginx['ssl_certificate'] = "/etc/gitlab/ssl/git.example.com.key"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/git.example.com.crt"
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"

Other SSL settings are commented, you can read them and make changes you fit for your deployment. When done, run the following command to effect the changes:

sudo gitlab-ctl reconfigure

Wait for the command to finish executing then visit the URL https://git.example.com to Login to your GitLab dashboard.

Secure GitLab Server with Let’s Encrypt SSL Certificate

Open the file /etc/gitlab/gitlab.rband look for Let's Encrypt integration section.

Note that you need a Domain name with Valid A record pointing to your GitLab server to get a Let’s Encrypt certificate. Set your server hostname to DNS name with a  valid A record:

sudo hostnamectl set-hostname git.example.com --static

The compulsory settings are:

letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['[email protected]'] # This should be an array of email addresses to add as contacts
letsencrypt['auto_renew'] = true

You can also specify the autorenew hour and day of the month for your certificate

letsencrypt['auto_renew_hour'] = 3
letsencrypt['auto_renew_day_of_month'] = "*/7"

When done, run the following command to effect the changes:

sudo gitlab-ctl reconfigure

Your reconfiguration should return a success for https to work on GitLab server. To validate GitLab settings, run the command:

$ sudo gitlab-rake gitlab:check  

Checking GitLab Shell ...
GitLab Shell version >= 8.4.1 ? ... OK (8.4.1)
hooks directories in repos are links: ... can't check, you have no projects
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished
Checking Gitaly ...
default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml
Checking LDAP ...
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
Checking LDAP ... Finished

Checking GitLab ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ... can't check, you have no projects
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.4.5)
Git version >= 2.9.5 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 2

Checking GitLab ... Finished

If you need LDAP Authentication on your GitLab Server, read:

How to Configure GitLab FreeIPA Authentication