Ross's Shared News Items

Thursday, July 17, 2014

HOWTO: Configure Gitlab 7 Omnibus install on Ubuntu to use SSL

Gitlab is a great tool for managing source code. Gitlab's omnibus install on Ubuntu is great too -- an easy install, and a clearly documented, simple upgrade path. I wanted to make gitlab use SSL, but I found the documentation for what I thought was the most common install to be sparse, outdated, and confusing. (Then again, I've found many things about SSL certificates in general to be poorly documented and confusing... maybe it's just me)

This guide assumes that you have a running gitlab instance on Linux installed via above Gitlab omnibus install. It is also assumed that you already have either a specific SSL certificate for your site (ex: gitlab-foo.yourdomain.com) or wildcard SSL certificates for your site (ex: *.yourdomain.com).

Below is a summary of what I did to convert my Gitlab instance to use SSL. I hope this is helpful to others:

My server: Ubuntu 12.04 x64 HVM - running in Amazon Web services on a C3.Large instance. At the time I installed this, there were some issues that prevented me from deploying Ubuntu 14.04, but I expect everything below should work exactly the same for Ubuntu 14.04

Put your ssl certificates on gitlab server

mkdir -p /etc/nginx/ssl

put your ssl certificates in this directory as:
   server.crt <-- public key
   server.key <-- private key in .pem format (first line contains something like BEGIN ___ PRIVATE KEY = .pem format)

Edit gitlab.rb template config file

edit /etc/gitlab/gitlab.rb and add or modify following lines:

  external_url 'https://your.domain.com'
  nginx['redirect_http_to_https'] = true
  nginx['ssl_certificate'] = "/etc/nginx/ssl/server.crt"
  nginx['ssl_certificate_key'] = "/etc/nginx/ssl/server.key"

Edit gitlab.yml config file

edit /var/opt/gitlab/gitlab-rails/etc/gitlab.yml

  port: 443
  https=true

Edit gitlab-shell/config.yml

edit /var/opt/gitlab/gitlab-shell/config.yml

  ca_file: /etc/nginx/ssl/server.crt 
  ca_path: /etc/nginx/ssl
  gitlab_url: "https://127.0.0.1:8080"

Reconfigure with chef and restart

sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

.... and that should do it!
Posted by at

4 comments:

Sytse said...

Hi Ross,

Thanks for spreading the word about GitLab!

For your information, there is also a way to enable ssl fr GitLab Rails and GitLab Shell completely through Omnibus, please see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#enable-https

Best regards,
Sytse

July 18, 2014 at 7:49 AM
Ross said...

Thanks, Sytse - I missed that after my initial install was up and running. It would be a good idea in my opinion to reference the omnibus README.md link in the default gitlab installation.md doc to make it easier for people searching the web after an install to find. Keep up the great work! :)

July 18, 2014 at 10:14 AM
Sytse said...

Thanks for you suggestion Ross, I added the link with https://gitlab.com/gitlab-com/www-gitlab-com/commit/f360a5ee2872c5833699b762b8aa00cd7a8a650c

July 18, 2014 at 11:35 AM
Unknown said...

Helpful post and still very relevant, thank you for the info Ross!

August 28, 2016 at 3:01 PM

Post a Comment

Subscribe to: Post Comments (Atom)