You can use Gitlab on your own server with little effort. I did it this way because hosted Gitlab can sometimes be very slow and because I feel more comfortable when I have my source code on my own server. However, the self-installed Gitlab does not have SSL encryption by default after installation, but this can easily be upgraded with a free Lets Encrypt certificate.
If you have not yet done so, you can install Gitlab via this page. The prerequisite for the further steps is that Gitlab has been installed and is accessible via port 80.
Next, we install git, as we need this to use the Lets Encrypt client.
cd /root git clone https://github.com/letsencrypt/letsencrypt
Before we can apply for the certificate, a Lets Encrypt configuration is created in which we define all the important data.
mkdir letsencrypt-config vi letsencrypt-config/gitlab.ini
The contents of the file:
Lets Encrypt Config for gitlab # we want to use the webroot authenticator. authenticator = webroot webroot-path = /var/www/letsencrypt # the domain under which gitlab is accessible domains = gitlab.yourdomain.de # the own mail address with which the certificate is requested email = your@email.de # we want a 4096 bit RSA key instead of a 2048 key rsa-key-size = 4096
Now we have to create the directory that will be used for the webroot authentication.
mkdir -p /var/www/letsencrypt
Next, we adjust the gitlab configuration so that it uses our new certificates. To do this, we open the file **/etc/gitlab/gitlab.rb** and change the following values. Make sure that the corresponding lines are not commented out.
nginx['enable'] = true nginx['redirect_http_to_https'] = true nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.de/fullchain.pem" nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.de/privkey.pem"
The following line must be inserted
nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
In order for the SSL application to work, Gitlab must first be reconfigured.
gitlab-ctl reconfigure
Next, we use the Lets Encrypt configuration we created earlier to create the SSL certificate.
/root/letsencrypt/letsencrypt-auto certonly -c /root/letsencrypt-config/gitlab.ini
During the first call, any missing dependencies are installed before the actual SSL application.
Now we can open the gitlab configuration under /etc/gitlab/gitlab.rb again and change the URL to https.
external_url 'https://gitlab.yourdomain.de'
That was it. Gitlab still needs to be reconfigured:
gitlab-ctl reconfigure
From now on, the Gitlab installation is accessible under https.
Lets Encrypt certificates are only valid for 90 days. To ensure that the certificate is renewed automatically every month, we set up a cronjob that takes care of this:
0 0 1 * * /root/.local/share/letsencrypt/bin/letsencrypt certonly -c /root/letsencrypt-config/gitlab.ini --renew-by-default
Is it possible that something has changed here now? I have updated my Gitlab system (Debian Jessie) and now get the message "secure connection failed". The update was carried out without an error message. The existing LE certificate was still valid.
After I restored the original state, everything works perfectly.
To test this, I updated my Gitlab installation from version 9.4.4 to 10.0.2 and everything went smoothly.
Maybe you can find something in the logs?