Setup HTTPS for Gitlab

From Bonus Bits
Jump to: navigation, search

Purpose

This article gives the steps to setup a Self-Signed SSL/TLS HTTPS access to Gitlab and Gitlab CI omnibus setup. Example wrote for version 7.7.1.


Prerequisites


Change URL in Config File

sudo vim /etc/gitlab/gitlab.rb
external_url 'https://gitlab.domain.com'

Enable HTTP Redirect to HTTPS (Optional)

  1. For Gitlab site
    nginx['redirect_http_to_https'] = true
    
  2. For Gitlab CI Site (Optional)
    ci_nginx['redirect_http_to_https'] = true
    

Gnome-sticky-notes-applet Leave TCP Port 80 open on firewall/s to take advantage of this option.


Create Certificate Folder

sudo mkdir -p /etc/gitlab/ssl
sudo chmod 700 /etc/gitlab/ssl


Create Self-Signed Certificate (Option 1)

Create one set for Gitlab and optionally another set for Gitlab CI.
Generate Self-Signed SSL Certificate with OpenSSL


Create Trusted Certificate (Option 2)

HowTo: Generate Trusted SSL Certificate with OpenSSL


Deploy Trusted SSL Cert to GitLab

  1. Place the certificate here /etc/gitlab/ssl/gitlab.domain.com.crt
  2. Remove Certificate Request File
    sudo rm -v /etc/gitlab/ssl/gitlab.domain.com.csr
    
  3. Set file permissions
    sudo chmod 600 /etc/gitlab/ssl/gitlab.domain.com.*
    


Run Reconfiguration

  1. Run configuration wizard (Chef Solo Setup)
    sudo gitlab-ctl reconfigure
    
  2. Restart Services
    sudo gitlab-ctl restart
    


Configure Firewall

HTTPS TCP Port 443 Default Iptables Usage Here


Add CA Certificates

It may pop up a 500 error when you attempt to authorize Gitlab-CI to use your account. It is most likely because of an SSL verification error. To fix this for self-signed certificates, add the public cert to the system.

  1. Install the ca-certificates package
    yum install ca-certificates
    
  2. Enable the dynamic CA configuration feature:
    update-ca-trust enable
    
  3. Add it as a new file to /etc/pki/ca-trust/source/anchors/
    cp /etc/gitlab/ssl/gitlab.domain.com.crt /etc/pki/ca-trust/source/anchors/
    
  4. Update Trust
    update-ca-trust extract
    

Hack

sudo vim /opt/gitlab/embedded/service/gitlab-ci/app/controllers/user_sessions_controller.rb
def client
    @client ||= ::OAuth2::Client.new(
      GitlabCi.config.gitlab_server.app_id,
      GitlabCi.config.gitlab_server.app_secret,
      {
        site: GitlabCi.config.gitlab_server.url,
        authorize_url: '/oauth/authorize',
        token_url: '/oauth/token',
        ssl: {
          verify: false
        }
      }
    )
  end
sudo gitlab-ctl restart



Troubleshooting

  • Read through the Chef steps from the reconfigure starting at Recipe: gitlab::nginx
  • Check that it's listening on 443
    sudo netstat -tan | grep 443
    
  • Look at nginx configuration results /var/opt/gitlab/nginx/conf/gitlab-http.conf
  • Review Logs
    sudo less /var/log/gitlab/nginx/gitlab_access.log
    
    sudo less /var/log/gitlab/nginx/gitlab_error.log
    


Related Articles


Sources