Setup HTTPS for Gitlab

Purpose

This article gives the steps to setup a Self-Signed SSL/TLS HTTPS access to Gitlab and Gitlab CI omnibus setup. Example wrote for version 7.7.1.

Prerequisites

• Install Gitlab on CentOS

Change URL in Config File

sudo vim /etc/gitlab/gitlab.rb

external_url 'https://gitlab.domain.com'

Enable HTTP Redirect to HTTPS (Optional)

1. For Gitlab site

   nginx['redirect_http_to_https'] = true
   

2. For Gitlab CI Site (Optional)

   ci_nginx['redirect_http_to_https'] = true
   

Leave TCP Port 80 open on firewall/s to take advantage of this option.

Create Certificate Folder

sudo mkdir -p /etc/gitlab/ssl

sudo chmod 700 /etc/gitlab/ssl

Create Self-Signed Certificate (Option 1)

Create one set for Gitlab and optionally another set for Gitlab CI.
Generate Self-Signed SSL Certificate with OpenSSL

Create Trusted Certificate (Option 2)

HowTo: Generate Trusted SSL Certificate with OpenSSL

Deploy Trusted SSL Cert to GitLab

1. Place the certificate here /etc/gitlab/ssl/gitlab.domain.com.crt
2. Remove Certificate Request File

   sudo rm -v /etc/gitlab/ssl/gitlab.domain.com.csr
   

3. Set file permissions

   sudo chmod 600 /etc/gitlab/ssl/gitlab.domain.com.*
   

Run Reconfiguration

1. Run configuration wizard (Chef Solo Setup)

   sudo gitlab-ctl reconfigure
   

2. Restart Services

   sudo gitlab-ctl restart
   

Configure Firewall

HTTPS TCP Port 443 Default Iptables Usage Here

Add CA Certificates

It may pop up a 500 error when you attempt to authorize Gitlab-CI to use your account. It is most likely because of an SSL verification error. To fix this for self-signed certificates, add the public cert to the system.

1. Install the ca-certificates package

   yum install ca-certificates
   

2. Enable the dynamic CA configuration feature:

   update-ca-trust enable
   

3. Add it as a new file to /etc/pki/ca-trust/source/anchors/

   cp /etc/gitlab/ssl/gitlab.domain.com.crt /etc/pki/ca-trust/source/anchors/
   

4. Update Trust

   update-ca-trust extract
   

Hack

sudo vim /opt/gitlab/embedded/service/gitlab-ci/app/controllers/user_sessions_controller.rb

def client
    @client ||= ::OAuth2::Client.new(
      GitlabCi.config.gitlab_server.app_id,
      GitlabCi.config.gitlab_server.app_secret,
      {
        site: GitlabCi.config.gitlab_server.url,
        authorize_url: '/oauth/authorize',
        token_url: '/oauth/token',
        ssl: {
          verify: false
        }
      }
    )
  end

sudo gitlab-ctl restart

Troubleshooting

• Read through the Chef steps from the reconfigure starting at Recipe: gitlab::nginx
• Check that it's listening on 443

  sudo netstat -tan | grep 443
  

• Look at nginx configuration results /var/opt/gitlab/nginx/conf/gitlab-http.conf
• Review Logs

  sudo less /var/log/gitlab/nginx/gitlab_access.log
  

  sudo less /var/log/gitlab/nginx/gitlab_error.log
  

Related Articles

• Install Gitlab on CentOS
• Install Gitlab CI on CentOS
• Setup LDAP on Gitlab
• Setup Access to First Project on Gitlab

Sources

• https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md
• http://www.cyberciti.biz/faq/nginx-self-signed-certificate-tutorial-on-centos-redhat-linux/
• https://gitlab.com/gitlab-org/gitlab-ci/issues/89
• https://gitlab.com/gitlab-org/gitlab-ci/issues/93