Self-Signed Certificate for GitLab 13.10.3

/ devesh

GitLab can be installed on the private cloud with access to internal applications for code repositories. GitLab application uses an in-build Nginx web service with the option to use either HTTP or HTTPS, based on internal info-security requirements.

To use HTTPS, we need to provide the Gitlab application with an updated SSL certificate. We can use either of three approaches for it,

  • OpenSSL generated with Self-Signed Certificate
  • Custom certificate approved by external CA
  • Using GitLab’s in-build Letsencrypt utility

I actually tried to use the in-build Letsencrypt utility first but faced an error while reconfiguring GitLab. There are a few blogs and forums already discussed this error but any suggestions didn’t work for me. At last, I switched to self-signed certificates and commented out the third option in gitlab.rb configuration file.

Situation

Letsencrypt utility not working with the below error. 

* Faraday::ConnectionFailed occurred in Chef Infra Client run: letsencrypt_certificate[gitlab.com] (letsencrypt::http_authorization line 5) had an error: Faraday::ConnectionFailed: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: Faraday::ConnectionFailed: execution expired

Task

Disable Letsencrypt and use Self-Signed Certificate.

Actions

For starters, we will disable Letsencrypt from the configuration file of GitLab. 

[root@gitlab admin]# vi /etc/gitlab/gitlab.rb

################################################################################
# Let's Encrypt integration
################################################################################
letsencrypt['enable'] = false

Next is we create a new self-signed certificate and place it in the default directory “/etc/gitlab/ssl/”.

Generate Certificate Signing Request (CSR) and Key using openssl Linux utility. 

[root@gitlab ssl]# openssl genrsa -out gitlab.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................................+++++
...............................................+++++
e is 65537 (0x010001)

[root@gitlab ssl]# openssl req -new -key gitlab.com.key -out gitlab.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SG
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]: TechnKofe
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:gitlab
Email Address []:devesh@technokofe.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Last, we will generate our certificate using CSR and the key generated in the previous step.

[root@gitlab ssl]# openssl x509 -req -days 365 -in gitlab.com.csr -signkey gitlab.com.key -out gitlab.com.crt
Signature ok
subject=C = SG, L = Default City, O = SPTel, CN = gitlab, emailAddress = devesh@technokofe.com
Getting Private key
[root@gitlab ssl]# ls -lrth
total 12K
-rw-------. 1 root root 1.7K Apr 21 11:10 gitlab.com.key.key
-rw-r--r--. 1 root root 1013 Apr 21 11:11 gitlab.com.csr
-rw-r--r--. 1 root root 1.3K Apr 21 11:12 gitlab.com.crt

We need to specify the location of the newly generated certificate in case it’s not done already in the default directory “/etc/gitlab/ssl/”.

################################################################################
## GitLab NGINX
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################

nginx['enable'] = true
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80

##! Most root CA's are included by default
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/gitlab.com.crt"

To apply the newly generated cert, we need to reconfigure the GitLab and start the GitLab application.

[root@gitlab ssl]# sudo gitlab-ctl reconfigure
[root@gitlab ssl]# sudo gitlab-ctl restart

Result

We can verify the newly generated cert in GitLab URL in the browser window.

devesh

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s