Gitlab-ce via docker container, shared CA certificate, SSL setup

Hi everybody,

i am trying to get the following use case implemented:
Web access for Gitlab-ce only via https, run as a docker container, with a domestically (distributed) CA certificate and server key/certificate pair.

I have gitlab-ce running as a docker container (gitlab/gitlab-ce:latest). At the moment the web access is through port 80. It is very beautiful, works wonderfully. The PKI part (public key infrastructure) runs nicely, i have CA signed server certificates ready, the right spots to put them etc. Tested and ok.

The exact gitlab-ce configuration for https access though is a bit hard to extract from the nice copious and scattered about references everywhere, that elude my comprehension apparently, for i can’t get https configuration working one way or another. I can see gitlab-ce picking up the certificates in the absence of errors in the logs, it just isn’t serving under https - site is unreachable.

My setup is:
docker: ports 80:80 (http; docker server port: container port) and 6443:443 (https) for my local domain are and should be accessible (firewall open/filtered).

In /etc/gitlab/config/gitlab.rb i think i have to do the following:

external_url ‘https://mynicegitlab-ce.dingus:6443

I am assuming here that the docker host port should be used, not the container’s port.
But is that correct?

I am also not sure about what to configure next.
Should i edit the nginx part like so:

nginx[‘enable’] = true
nginx[‘listen_port’] = 6443

Or should that be 443 (as docker maps 6443 host side to 443 container side)?

letsencrypt[‘enable’] = false
nginx[‘ssl_certificate’] = “/etc/gitlab/ssl/mynicegitlab-ce.dingus/mynicegitlab-ce.dingus.crt”
nginx[‘ssl_certificate_key’] = “/etc/gitlab/ssl/mynicegitlab-ce.dingus/mynicegitlab-ce.dingus.key”
nginx[‘enable’] = true
nginx[‘client_max_body_size’] = ‘250m’

If i do that, nothing works any more. I have tried about every configuration with these ingredients. Nothing works.
A nice little button in the admins interface came up one night trying to find a solution, in a dream - that did say ‘do you want to run gitlab-ce (as docker container) under https like everybody should? Press this little button’. Instead i know this can be done, but it is just not so easy.
Is my docker setup to blame, or is it the gitlab-ce nginx/external_url confusion, or am i missing some obscure setting?

Can somebody please help me with a hint?

Well, if anybody is interested, i got this working by configuring it in this way:

gitlab.rb:

external_url 'https://<my-webserver-dns>:port'

(f.i. https://dtap.internal.ch:6443)

and running gitlab as docker container with (6443 for ui, 6022 for ssh mediated git interaction, f.i. ssh://git@dtap.internal.ch:6022/user/niceproject.git):

docker run --detach --hostname dtap.internal.ch --publish 6443:443 --publish 6022:22 --name gitlab --volume ~gitlab/config:/etc/gitlab --volume ~gitlab/logs:/var/log/gitlab --volume ~gitlab/data:/var/opt/gitlab --restart always gitlab/gitlab-ce:latest

Finally I didn’t touch the nginx configuration in gitlab.rb and kept it commented out.
Works like a charm.

I hope, that if you have the same use case (https for a docker container hosted gitlab-ce) this will save you wading through the gitlab docs.

1 Like