• Date: 8/19/16
  • Ubuntu: 16.04
  • Gitlab: 8.10.5

This guide borrows heavily from https://webnugget.de/setting-up-gitlab-with-free-ssl-certs-from-lets-encrypt-on-ubuntu-14-04/ and has been updated as needed.

This guide also assumes an existing and working Gitlab install.

Install Let's Encrypt

Level up to root (we assume root for the rest of this guide) and install Let's Encrypt:

$ sudo su
$ apt-get update && apt-get install letsencrypt

Set up Let's Encrypt configuration

$ mkdir /root/letsencrypt-config
$ nano /root/letsencrypt-config/gitlab.ini

Add the following config:

# this is the let's Encrypt config for our gitlab instance

# use the webroot authenticator.
authenticator = webroot

# the following path needs to be served by our webserver to validate our domains
webroot-path = /var/www/letsencrypt

# generate certificates for the specified domains.
domains = <DOMAIN>

# register certs with the following email address
email = <EMAIL>

# use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

Change <DOMAIN> to the domain of your Gitlab instance and <EMAIL> to your email. The rest can stay the same for all installs.

We probably need to create that webroot-path:

$ mkdir -p /var/www/letsencrypt

This is where our authentication files are stored. Let's Encrypt will check them when issuing you a cert later on.

Set up Gitlab to use SSL

Edit gitlab config:

$ nano /etc/gitlab/gitlab.rb

And change the following lines (nginx settings are near the end):

nginx['redirect_http_to_https'] = true

nginx['ssl_certificate']= "/etc/letsencrypt/live/<DOMAIN>/fullchain.pem"

nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/<DOMAIN>/privkey.pem"

nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"

Be sure to change both instances of <DOMAIN>. Also note that we have not changed the external_url to https:// yet. Leave it for now.

Now we need to apply our changes and restart affected services:

$ gitlab-ctl reconfigure

Generate cert and reconfigure Gitlab

It's finally time to get our cert:

$ letsencrypt certonly -c /root/letsencrypt-config/gitlab.ini

Note: You may have to agree to their terms if this is the first time running letsencrypt.

It's now time to update Gitlab to your SSL domain. Edit gitlab.rb:

$ nano /etc/gitlab/gitlab.rb

And change to https:

external_url "https://<DOMAIN>/"

Be sure to use your domain.

Now, reconfigure Gitlab:

$ gitlab-ctl reconfigure

And visit to your new https Gitlab install!

Autorenew cert (optional, but recommended)

Because Let's Encrypt certs only last 90 days, we need to renew them. We can add a cron job that renews once a month and restarts nginx.

Create a monthly cron job:

$ sudo nano /etc/cron.monthly/renew-ssl-certificates

And add the contents:

#!/bin/bash

/usr/bin/letsencrypt renew

gitlab-ctl restart nginx

Make sure it's executable:

$ sudo chmod +x /etc/cron.monthly/renew-ssl-certificates