Configuring a self-signed SSl certificate

Hello, please explain how to configure https with a self-signed certificate.
I have installed gitlab.
I created a self-signed certificate:

openssl req \
  -subj "/C=RU/ST=XXX-XXX/L=XXX-XXX/O=Labecs, Inc./OU=GitLab/CN=git.mydomain.ru" \
  -newkey rsa:4096 -nodes -sha256 -keyout ./git.mydomain.ru-ss.key \
  -x509 -days 3650 -out ./git.mydomain.ru-ss.crt

Made settings in the /etc/gitlab/gitlab.rb file:

external_url "https://git.mydomain.ru"

nginx['redirect_http_to_https'] = true

nginx['ssl_certificate'] = "/etc/ssl/gitlab/git.mydomain.ru-ss.crt"
nginx['ssl_certificate_key'] = "/etc/ssl/gitlab/git.mydomain.ru-ss.key"

letsencrypt['enable'] = false

I copied the public part of the certificate to a special directory in the gitlab configuration:

cp /etc/ssl/gitlab/git.mydomain.ru-ss.crt /etc/gitlab/trusted-certs/

Applied the changes:

gitlab-ctl reconfigure

Connecting to the web interface https://git.mydomain.ru - The page does not open.
What did I do wrong?

The easiest way is not to attempt to set the certificates manually in gitlab.rb, but do this instead:

external_url "https://git.mydomain.ru"
nginx['redirect_http_to_https'] = true
letsencrypt['enable'] = false

assuming that git.mydomain.ru is the name of your server, then do:

mkdir /etc/gitlab/ssl

and in this directory put the SSL certificate and key files, so that they are named the same as your server, so:

git.mydomain.ru.crt
git.mydomain.ru.key

then do:

gitlab-ctl reconfigure

I do this, with self-signed, or even with commercial certificates that I purchased, and it works every time. The key part, is putting the certs in /etc/gitlab.ssl and making sure they are the same name as your server FQDN as the example above.

I reconfigured everything according to your version - the result is the same, the web-interface is not loaded.
Connection error:
The website does not support encryption for the page you are viewing.

I got it to work. You need to have the SAN - Subject Alternative Name - with the DNS entry for it to work. This is the one-shot command line to add it.

You can run this this in the /etc/gitlab/ssl folder,

openssl req
-subj “/C=CN/ST=ST/L=CT/O=CMP/OU=OU/CN=host.domain.tld”
-newkey rsa:4096 -nodes -sha256 -keyout ./host.domain.tld.key
-addext “subjectAltName = DNS:host.domain.tld”
-x509 -days 3650 -out ./host.domain.tld.crt

add the CRT to the trusted certs → cp …/trusted-certs

Also if you are running this locally and/or off the internet/NAT/whatever, use a host file and just tell it your private IP is that FQDN, it may trust the cert but not have a hostname mismatch.

Cheers. DP2K

After a lot of trial and error methods, got it working with the following commands.

sudo openssl genrsa -out ca.key 2048
sudo openssl req -new -x509 -days 365 -key ca.key -subj “/C=CN/ST=GD/L=SZ/O=Mycompany/CN=Mycompany Root CA” -out ca.crt
sudo openssl req -newkey rsa:2048 -nodes -keyout gitlab.example.com.key -subj “/C=CN/ST=GD/L=SZ/O=Mycompany/CN=gitlab.example.com” -out gitlab.example.com.csr
sudo su -c “openssl x509 -req -extfile <(printf “subjectAltName=DNS:gitlab.example.com”) -days 365 -in gitlab.example.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out gitlab.example.com.crt”

sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart