Dedicated certificate for Gitlab Page


#1

I am trying to get GitLab Pages for GitLab CE installed on my own server to serve a letsencrypt certificate for that specific page, but page.otherdomain.de still serves the certificate for gitlab.domain.org.

Settings in gitlab.rb:

external_url "https://gitlab.domain.org"

nginx['redirect_http_to_https'] = true
nginx['ssl_ciphers'] = "ECDHE-ECDSA-AES256-GCM-SHA384:…"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_session_timeout'] = "1d"
nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparam.pem"
nginx['add_header'] = "Strict-Transport-Security max-age=15768000"
nginx['ssl_stapling'] = "on"
nginx['ssl_stapling_verify'] = "on"

pages_external_url "https://otherdomain.de"
gitlab_pages['enable'] = true
pages_nginx['enable'] = true
pages_nginx['redirect_http_to_https'] = true
pages_nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
pages_nginx['ssl_ciphers'] = "ECDHE-ECDSA-AES256-GCM-SHA384:…"
pages_nginx['ssl_prefer_server_ciphers'] = "on"   
pages_nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
pages_nginx['ssl_session_timeout'] = "1d" 
pages_nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparam.pem"
pages_nginx['add_header'] = "Strict-Transport-Security max-age=15768000"

Symlinked certificate files:

root@srv:~# ls -la /etc/gitlab/ssl/
dhparam.pem -> /root/letsencrypt/dhparam.pem
gitlab.domain.org.crt -> /etc/letsencrypt/live/gitlab.domain.org/fullchain.pem
gitlab.domain.org.key -> /etc/letsencrypt/live/gitlab.domain.org/privkey.pem
otherdomain.de.crt -> /etc/letsencrypt/live/page.otherdomain.de/fullchain.pem
otherdomain.de.key -> /etc/letsencrypt/live/page.otherdomain.de/privkey.pem
page.otherdomain.de.crt -> /etc/letsencrypt/live/page.otherdomain.de/fullchain.pem
page.otherdomain.de.key -> /etc/letsencrypt/live/page.otherdomain.de/privkey.pem

I symlinked both otherdomain.de and page.otherdomain.de as I was not sure which was the way to go, but neither solution seems to work.

Any suggestions what could be the problem?


#2

when those settings are commented, it works as expected:

#pages_nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
#pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"