In our earlier articles, we covered the installation of GitLab CE on Ubuntu, Debian, CentOS, and Fedora Linux distributions. In today’s article, we will see how you can secure GitLab Server with SSL Certificate. Access to GitLab will be via HTTPS protocol.

There are two scenarios we’ll consider for configuring GitLab HTTPS access:

  • Secure GitLab Server with a Commercial SSL Certificate – E.g DigiCert, Comodo e.t.c
  • Secure GitLab Server with Let’s Encrypt SSL Certificate

If you’re interested in doing a fresh installation of GitLab CE on your new server, these guides should come in handy:

Install Gitlab CE on Ubuntu

Install GitLab CE on Debian 10

Install Gitlab CE on CentOS 7

Install GitLab CE on CentOS 8

Secure GitLab Server with a Commercial SSL Certificate

Commercial SSL certificates is a DV (Domain Validation) trustworthy certificate supported by all popular web browsers. You’ll purchase this certificate from a trusted, commercial Certificate Authority (CA) or reseller such as Comodo, DigiCert, GeoTrust, SSL2BUY e.t.c.

After purchasing your certificate, download the Certificate file and put it with the private key to the /etc/gitlab/ssl/ directory.

/etc/gitlab/ssl/git.example.com.key
/etc/gitlab/ssl/git.example.com.crt

Then configure SSL settings on your /etc/gitlab/gitlab.rb file. First, change external URL from http to https

external_url 'https://git.example.com'

Under the ## GitLab NGINX section, enable Nginx and provide SSL key and certificate paths.

nginx['enable'] = true
nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true

nginx['ssl_certificate'] = "/etc/gitlab/ssl/git.example.com.key"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/git.example.com.crt"
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"

Other SSL settings are commented, you can read them and make changes you fit for your deployment. When done, run the following command to effect the changes:

sudo gitlab-ctl reconfigure

Wait for the command to finish executing then visit the URL https://git.example.com to Login to your GitLab dashboard.

Secure GitLab Server with Let’s Encrypt SSL Certificate

Open the file /etc/gitlab/gitlab.rband look for Let's Encrypt integration section.

Note that you need a Domain name with Valid A record pointing to your GitLab server to get a Let’s Encrypt certificate. Set your server hostname to DNS name with a  valid A record:

sudo hostnamectl set-hostname git.example.com --static

The compulsory settings are:

letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['[email protected]'] # This should be an array of email addresses to add as contacts
letsencrypt['auto_renew'] = true

You can also specify the autorenew hour and day of the month for your certificate

letsencrypt['auto_renew_hour'] = 3
letsencrypt['auto_renew_day_of_month'] = "*/7"

When done, run the following command to effect the changes:

sudo gitlab-ctl reconfigure

Your reconfiguration should return a success for https to work on GitLab server. To validate GitLab settings, run the command:

$ sudo gitlab-rake gitlab:check  

Checking GitLab Shell ...
GitLab Shell version >= 8.4.1 ? ... OK (8.4.1)
hooks directories in repos are links: ... can't check, you have no projects
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished
Checking Gitaly ...
default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml
Checking LDAP ...
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
Checking LDAP ... Finished

Checking GitLab ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ... can't check, you have no projects
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.4.5)
Git version >= 2.9.5 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 2

Checking GitLab ... Finished

GitLab CI Learning Courses:

Git Learning Video Courses:

More on GitLab.

How to Disable User Creation (Signup) on GitLab welcome page

How to Configure GitLab FreeIPA Authentication

GitLab and Slack Integration for notifications

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

Coffee Box

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here