TLDR; Is there a (proper) way to set up a Letsencrypt SSL certificate for a Gitlab.com Pages website with a custom domain with automatic renewal of the certificate?
I’m trying to reduce the amount of servers that I administrate, which is why I’ve recently moved from a privately hosted Gitlab CE instance, to Gitlab.com. Another things I would like to move are my static web pages, which are currently hosted on another VPS.
So, I set up a Pages website for my website repository and that works great. However, before migrating to my custom domain, I would like to be able to set up SSL with Letsencrypt. That should work fine, except for automatic renewal. So far I haven’t found a way to set up automatic renewal of the SSL certificate and have it set up on my Pages website.
Has anyone been able to do this? Perhaps through Gitlab CI? What was the approach that you took?
2 Likes
I’m interested in this too. It seems really awkward and error-prone to manually renew keys every 3 months. With all the other great features in gitlab to automate software production including website maintenance, it would be nice to see gitlab enhanced in this way.
I wonder if one can write a build script that does what is needed.
One can imagine a non-interactive version of certbot certonly -a manual -d your.domain.org that runs under a build script. Upon delivery of working fullchain.pem and privkey.pem, then, what would it take to install these programmatically in gitlab server? I’m doing this manually by cut-and-paste (another opportunity for mistakes) but one can imagine there’s an underlying shell command doing the work.
Has this been covered elsewhere? Given the big shift to TLS for improved customer privacy and security, I was hoping this issue could be escalated.
Stephen North graphviz project
The related GitLab documentation says:
Once enabled, GitLab obtains a LE certificate and add it to the associated Pages domain. GitLab also renews it automatically.
I can’t confirm the automatic nature of the renewal.
My son maintains a public (open source) project that just had the problem of an expired certificate. Creating a pipeline schedule, which re-runs the deployment every month didn’t resolve the issue. He needed to press the Retry link in the Pages Domain > Certificate section of the Deploy > Pages feature, which probably triggered the certbot in the background.
I’m wondering what is the most straight-forward way to trigger the renewal of such a certificate using CI?
Does anyone know, is it possible to call the function integrated in the GitLab UI using, e.g., the GitLab CI job token?