Install Let’s Encrypt Certificate on Gitlab CentOS 7

Install epel-release. Epel-release provide you an extended set of packages

yum install epel-release -y

Install certbot

yum install certbot -y

Need to create a folder where the Let’s encrypt verification files will be stored

mkdir -p /var/www/public/letsencrypt

We need to configure Gitlab to pass any /.well-known requests to the desired folder.

Edit following file

vi /etc/gitlab/gitlab.rb

Find following Line below web_server[‘home’]

# web_server['home'] = '/var/opt/gitlab/nginx'
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {
    root /var/www/public/letsencrypt;
}"

Reconfigure Gitlab

gitlab-ctl reconfigure

Now ready to request Let’s Encrypt Certificate

Use following command to request certificate

certbot certonly --webroot --webroot-path=/var/www/public/letsencrypt -d git.hostfav.com

You will get following message.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/git.hostfav.com/fullchain.pem. Your cert will
 expire on 2017-10-25. To obtain a new or tweaked version of this
 certificate in the future, simply run certbot again. To
 non-interactively renew *all* of your certificates, run "certbot
 renew"
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

 

Configure GitLab for new Certificate

vi /etc/gitlab/gitlab.rb

Change External URL path

external_url 'https://git.hostfav.com'

Uuncomment this line. Change false to true

nginx['redirect_http_to_https'] = true

Change Certificate and Key files’ path

Find following two lines and uncomment them

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"

Update path

 nginx['ssl_certificate'] = "/etc/letsencrypt/live/git.hostfav.com/fullchain.pem"
 nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/git.hostfav.com/privkey.pem"

Reconfigure GitLab and Apply changes

gitlab-ctl reconfigure

Let’s Encrypt certificate is only valid for 90 days. To renew automatically add following line to your corn job.

0 1 1 * * /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"

This corn job will renew your GitLab Certificate every Month.

This improves the security of both the GitLab Server and the users who use it.