Setup HTTPS for Gitlab

From Bonus Bits
Jump to: navigation, search


This article gives the steps to setup a Self-Signed SSL/TLS HTTPS access to Gitlab and Gitlab CI omnibus setup. Example wrote for version 7.7.1.


Change URL in Config File

sudo vim /etc/gitlab/gitlab.rb
external_url ''

Enable HTTP Redirect to HTTPS (Optional)

  1. For Gitlab site
    nginx['redirect_http_to_https'] = true
  2. For Gitlab CI Site (Optional)
    ci_nginx['redirect_http_to_https'] = true

Gnome-sticky-notes-applet Leave TCP Port 80 open on firewall/s to take advantage of this option.

Create Certificate Folder

sudo mkdir -p /etc/gitlab/ssl
sudo chmod 700 /etc/gitlab/ssl

Create Self-Signed Certificate (Option 1)

Create one set for Gitlab and optionally another set for Gitlab CI.
Generate Self-Signed SSL Certificate with OpenSSL

Create Trusted Certificate (Option 2)

HowTo: Generate Trusted SSL Certificate with OpenSSL

Deploy Trusted SSL Cert to GitLab

  1. Place the certificate here /etc/gitlab/ssl/
  2. Remove Certificate Request File
    sudo rm -v /etc/gitlab/ssl/
  3. Set file permissions
    sudo chmod 600 /etc/gitlab/ssl/*

Run Reconfiguration

  1. Run configuration wizard (Chef Solo Setup)
    sudo gitlab-ctl reconfigure
  2. Restart Services
    sudo gitlab-ctl restart

Configure Firewall

HTTPS TCP Port 443 Default Iptables Usage Here

Add CA Certificates

It may pop up a 500 error when you attempt to authorize Gitlab-CI to use your account. It is most likely because of an SSL verification error. To fix this for self-signed certificates, add the public cert to the system.

  1. Install the ca-certificates package
    yum install ca-certificates
  2. Enable the dynamic CA configuration feature:
    update-ca-trust enable
  3. Add it as a new file to /etc/pki/ca-trust/source/anchors/
    cp /etc/gitlab/ssl/ /etc/pki/ca-trust/source/anchors/
  4. Update Trust
    update-ca-trust extract


sudo vim /opt/gitlab/embedded/service/gitlab-ci/app/controllers/user_sessions_controller.rb
def client
    @client ||=
        site: GitlabCi.config.gitlab_server.url,
        authorize_url: '/oauth/authorize',
        token_url: '/oauth/token',
        ssl: {
          verify: false
sudo gitlab-ctl restart


  • Read through the Chef steps from the reconfigure starting at Recipe: gitlab::nginx
  • Check that it's listening on 443
    sudo netstat -tan | grep 443
  • Look at nginx configuration results /var/opt/gitlab/nginx/conf/gitlab-http.conf
  • Review Logs
    sudo less /var/log/gitlab/nginx/gitlab_access.log
    sudo less /var/log/gitlab/nginx/gitlab_error.log

Related Articles