Acces to Gitlab through dynDNS and https

Hello all,

I am struggling to figure out how to set up Gitlab correctly, so people can access it through the ssl encrypted domain. Here’s where I am at:

We recently purchased a Synology DS918+ that is currently connected to my home network. Since I wanted a more current Version of Gitlab I didn’t go for the one in the package manager (that also uses Docker), but rather installed Docker and the gitlab-ce:latest image. By now I have both installed it from the GUI and through SSH.

I registered a dynDNS hostname with noip. And as a first try I configured the dynDNS in the synology control panel and created Gitlab without specifying an external_url. This way I could access Gitlab through domain name:port. No https, though.

Second try, I deactivated the dynDNS in the NAS’s settings and created the Container with external_url=‘domain name:port’. This allowed me to access Gitlab through domain name:port. Again, no https.

Third try, with the configuration from try 2 I started playing around a bit, because according to GitLab Docker images | GitLab I just need to add https to the external_url.

1. Ports: 32766:443, 32767:22, 32765:32765, external_url=‘https:// domain name:32765’ → 400 Bad request
2. Ports: 32766:443, 32767:22, 32765:80, external_url=‘https:// domain name:32765’ → No response from gitlab, I doubt it was at the location domain name:32765 pointed to.
3. Ports: 32766:443, 32767:22, 32765:32765, external_url=‘https:// domain name’ → No response
4. Ports: 32766:443, 32767:22, 32765:80, external_url=‘https:// domain name’ → No response

What I find strange about the example is, that they configure Port 8929:80 and then configure the https port to 8929 as well. The way I understand it, they’d have to assign 8930:443 and then use that for the external_url.
Also, in another example (NGINX settings | GitLab) they didn’t add the port to the end of the external_url. This adds to my confusion.

I currently have a work around in place, where people can VPN into my network and access all applications by IP-Address:Port. This works fine for most users, except for one, who happens to be the boss. He can’t clone anything over 5 MB or it exits with Error 128. Because of this, I wanted to explore the other possibility.

Can someone please tell me, where I went wrong? As you can probably see, from the amount of trial and error I did, I am pretty new to this topic. Any tips are appreciated!

Just a quick addendum:
When I run the container with configuration 4 I get a 400 bad request, when trying to access it through its IP address from within my network. When I preface it with https:// I get the unsafe notification in chrome and when I continue it does so without https://.

No takers?
Can I add more information?

OK, after some more trial an error I found a setup that forces https.
Ports: 32766:32766, 32767:22, 32765:32765m external_url ‘https:// domain name:32766’
When I access the site from my cell phone, all seems good, i.e. the lock is displayed in the address bar, indicating a secure connection.
When I try to access it from my other laptop through tethering I get a certificate error and an unsafe connection warning in chrome. When I click on the certificate it tells me:

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

How can I remedy this?
As far as my understanding goes, the certificate should be renewed automatically for the url I entered under external_url when I execute gitlab-ctl reconfigure. Is this not the case?

Edit: The certificate says it’s issued for domain name and by domain name. When I compare that to the certificate that I got in the NAS’s control panel directly it says: Let’s Encrypt Authority X3