I have explained How to Install GitLab in a Disconnected Environment in a past article. In this article you will learn how to use self-signed or custom SSL certificates to secure your GitLab servers.
You can use any of the below listed certificates depends on your environments for this method.
- Self-signed SSL certificates and key
- Custom CA signed SSL certificate and key
- Let’s Encrypt SSL certificates and key
Follow below steps to configure GitLab with custom SSL certificate.
Copy SSL Certificate and Key
Create the ssl directory if does not exist.
$ mkdir /etc/gitlab/ssl/Copy custom SSL certificate and key to the /etc/gitlab/ssl/ directory.
sudo ls -l /etc/gitlab/ssl
total 8
-rw-r--r--. 1 root root 2222 Dec 22 13:06 gitlab-ce.lab.local.crt
-rw-------. 1 root root 1679 Dec 22 13:06 gitlab-ce.lab.local.keyConfigure /etc/gitlab/gitlab.rb
Edit /etc/gitlab/gitlab.rb file and configure below items.
1. Disable Let’s Encrypt and renewal in /etc/gitlab/gitlab.rb file
letsencrypt['auto_renew'] = false2. You can use any custom names or keep the file format as per GitLab configuration. In my case, I follow the GitLab file format and did not change filename or path inside configuration for SSL.
# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"3. Change the external_url parameter in /etc/gitlab/gitlab.rb file (from http to https)
external_url 'https://gitlab-ce.lab.local'Reconfigure the GitLab
Reconfigure the GitLab and wait for re-configuration to complete.
$ sudo gitlab-ctl reconfigureRestart GitLab to use the latest configuration
$sudo gitlab-ctl restartNow verify access to from a web browser and verify the SSL certificate.