FYI my install is a gitlab-ce on Devuan.
Here is the apache2 sites-enabled config. Note that I use 8443 as the external https port.
<VirtualHost *:8443>
ServerName gitlab.mydomain.com
SSLEngine on
SSLCACertificateFile /etc/gitlab/trusted-certs/cert.pem
SSLCertificateFile /etc/gitlab/trusted-certs/fullchain.pem
SSLCertificateKeyFile /etc/gitlab/trusted-certs/privkey.pem
<Proxy *>
Require all granted
</Proxy>
SSLProxyEngine on
ProxyRequests Off
ProxyPass / https://gitlab.mydomain.com:4443/
ProxyPassReverse / https://gitlab.mydomain.com/
Header edit Location ^http://gitlab.mydomain.com/ https://gitlab.domain.com/
RequestHeader set X-Forwarded-Proto "https"
Here are the relevant bits in gitlab.rb
external_url ‘https://gitlab.mydomain.com:4443’
nginx[‘ssl_client_certificate’] = “/etc/gitlab/trusted-certs/cert.pem”
nginx[‘ssl_certificate’]= “/etc/gitlab/trusted-certs/fullchain.pem”
nginx[‘ssl_certificate_key’] = “/etc/gitlab/trusted-certs/privkey.pem”
Here are the scp commands from the Letsencrypt server to the gitlab box.
You will need a gitlab-ctl reconfigure so that gitlab picks the certs up and generates the corect links.
Note I also use a non standard ssh port.
scp -P 2211 /etc/dehydrated/certs/mydomain.com/fullchain.pem root@gitlab.mydomain.com://etc/gitlab/trusted-certs/fullchain.pem
scp -P 2211 /etc/dehydrated/certs/mydomain.com/privkey.pem root@gitlab.mydomain.com://etc/gitlab/trusted-certs/privkey.pem
scp -P 2211 /etc/dehydrated/certs/mydomain.com/cert.pem root@gitlab.mydomain.com://etc/gitlab/trusted-certs/cert.pem
Hope that gets you running - took me days to figure this lot out.
Essentially you leave the nginx webserver running and proxy external->apache->nginx->gitlab
You CAN dispense with nginx, but then you need to proxy direct to the various required ports - see the gitlab nginx confs if you want to see how. I decided it was easier to leave the CE nginx install in place and running.
Note also that I don’t run any http only access to the gitlab box.
Hope that helps…