1. Home
  2. VPS
  3. Tutorials
  4. How to secure Gitlab with Let’s Encrypt on CentOS 7

How to secure Gitlab with Let’s Encrypt on CentOS 7

Gitlab is an alternative for solutions like Github or Bitbucket. You can either use their hosted version (Gitlab is USA based) or run your own Gitlab on a VPS with Yourwebhoster.eu. With the hosted version you benefit of the fact that you know where your data is and that you are in control. By default, the hosted version comes with http. In this article we show you how to secure Gitlab with Let’s Encrypt on CentOS 7.

Install epel-release

Although the default CentOS repository is packed with lots of packages, you will find that the epel repository will provide you an extended set of packages. Installation is simple:

yum install epel-release -y

Install certbot

Requesting and installing a certificate can be done using certbot. Install certbot using the following command:

yum install certbot -y

Prepare Gitlab for Let’s Encrypt

Instead of e-mail verification, Let’s Encrypt verifies your domain using file verification. Certbot will add a verification file on your server, which will get downloaded by Let’s encrypt and upon verification it will return the certificate files. Certbot automates this process, however since Gitlab works a little bit differently than common setups, we will need to make some manual adjustments.

First, we need to create a folder where the Let’s encrypt verification files will be stored.

mkdir -p /var/www/public/letsencrypt

Secondly, we need to configure Gitlab to pass any /.well-known requests to the desired folder. Open /etc/gitlab/gitlab.rb and find the following:

# web_server['home'] = '/var/opt/gitlab/nginx'

Add below this:

nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {
    root /var/www/public/letsencrypt;
}"

With the following command gitlab will reconfigure nginx to support Let’s encrypt:

gitlab-ctl reconfigure

Request the Let’s encrypt certificate

Run the following command to request the certificate. Fill in the requested data and agree with the Terms of Service.

certbot certonly --webroot --webroot-path=/var/www/public/letsencrypt -d yourdomain.com

Certbot will request the certificates and store the certificate and key in /etc/letsencrypt/live/yourdomain.com. If certbot failes, make sure that the domain resolves correctly into the IP of your server and that your server is publicly accessible. Only setting the /etc/hosts file won’t cut it, as the domain should be publicly reachable to complete the verification.

Configure Gitlab with the new certificates

Open up /etc/gitlab/gitlab.rb and update external_url with https instead of http.

external_url 'https://git.yourwebhoster.eu'

Search in the same file for nginx[‘redirect_http_to_https’] and uncomment this line. Change false to true, as we want to redirect http traffic to the secured connection.

nginx['redirect_http_to_https'] = true

Now we have to install the certificates. Find the following lines:

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"

Uncomment the lines and replace their values with the following:

nginx['ssl_certificate'] = "/etc/letsencrypt/live/yourdomain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/yourdomain.com/privkey.pem"

Save the file.

Update the firewall

Make sure that your firewall supports https by allowing incoming TCP traffic on port 443. Since http traffic is redirected you should leave TCP port 80 open as well.

If you are using the default firewall, you can run the following:

firewall-cmd --permanent --add-service=https

Reconfigure gitlab for https

Reconfigure gitlab to enable support for https using the following command:

gitlab-ctl reconfigure

Certificate renewal

The downside of Let’s encrypt is that a certificate is only valid for 90 days. This means that you will have to renew this every 90 days or less. Luckily, we are using certbot who automates this for you. The only thing you have to do, is configured a cron command via crontab -e :

0 2 1 * * /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"

The cron will renew the certificate every month. Your Gitlab is now secured via https.

Updated on May 6, 2017

Was this article helpful?

Related Articles