Skip to content

Configure Custom SSL to Secure GitLab Server


I have explained How to Install GitLab in a Disconnected Environment in a past article. In this article you will learn how to use self-signed or custom SSL certificates to secure your GitLab servers.

You can use any of the below listed certificates depends on your environments for this method.

  • Self-signed SSL certificates and key
  • Custom CA signed SSL certificate and key
  • Let’s Encrypt SSL certificates and key

Follow below steps to configure GitLab with custom SSL certificate.

Copy SSL Certificate and Key

Create the ssl directory if does not exist.

$ mkdir /etc/gitlab/ssl/

Copy custom SSL certificate and key to the /etc/gitlab/ssl/ directory.

sudo ls -l /etc/gitlab/ssl
total 8
-rw-r--r--. 1 root root 2222 Dec 22 13:06 gitlab-ce.lab.local.crt
-rw-------. 1 root root 1679 Dec 22 13:06 gitlab-ce.lab.local.key

Configure /etc/gitlab/gitlab.rb

Edit /etc/gitlab/gitlab.rb file and configure below items.

1. Disable Let’s Encrypt and renewal in /etc/gitlab/gitlab.rb file

letsencrypt['auto_renew'] = false

2. You can use any custom names or keep the file format as per GitLab configuration. In my case, I follow the GitLab file format and did not change filename or path inside configuration for SSL.

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"

3. Change the external_url parameter in /etc/gitlab/gitlab.rb file (from http to https)

external_url 'https://gitlab-ce.lab.local'

Reconfigure the GitLab

Reconfigure the GitLab and wait for re-configuration to complete.

$ sudo gitlab-ctl reconfigure

Restart GitLab to use the latest configuration

$sudo gitlab-ctl restart

Now verify access to from a web browser and verify the SSL certificate.

Disclaimer: The views expressed and the content shared are those of the author and do not reflect the views of the author's employer or techbeatly platform.


Gineesh has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform). (aka Gini Gangadharan - iamgini.com)

Comments

2 Responses

  1. Connor says:

    Hi, I followed these steps but my browser says the gitlab installation is insecure as the SSL certificate is self signed. I am also unable to push to the repo for the same reason, anyway to make a self signed certificate secure? Thanks

  2. Yes, browser will say its not secure as its self-signed. this is the expected behaviour unless you are using a valid CA signed certificate.

    You can disable SSL certificate validation globally by git config --global http.sslVerify false
    or git config http.sslVerify "false"

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: