Let's Encrypt certificate renewal for self-managed GitLab instance with IP restriction

Hi guys,

I am setting up a self-managed GitLab with the following setup:

  1. Installed GitLab on a AWS EC2 instance using Docker Compose
  2. The EC2 instance is behind Cloudflare
  3. Added a rule in Cloudflare WAF such that only my IP can access the website
  4. Added rules in the EC2 instance’s network security group such that only Cloudflare IPs can access the EC2 instance via 80 and 443 ports, and only my IP can access the EC2 instance via SSH

I have two questions regarding the SSL configuration:

  • Will the auto-renewal of GitLab instance’s Let’s Encrypt certificate fail as there are IP restrictions in Cloudflare WAF and EC2 instance’s network security group?
  • Also, as Cloudflare has an edge certificate serving at edge locations, is it possible to configure TLS termination for the GitLab instance?


Yes it will fail. Lets Encrypt needs to be able to connect to the web server, eg: Gitlab in this instance so that it can renew it. However, you can do this differently by taking the Lets Encrypt segment separate from Gitlab. Use the Lets Encrypt Cloudflare module, and provide a token to allow it to connect to Cloudflare and your zone with your domain. The renewal will happen similar to the acme script. You then do the renewal outside of Gitlab, and have a renewal hook to restart Gitlab afterwards. Then in the Gitlab configuration all you do is configure the paths for the certificates and remove the other config you did that enabled LetsEncrypt, etc.

You can do yes and in this instance you would not need LetsEncrypt. Cloudflare give you origin certificates which you can drop on your server in /etc/gitlab/ssl - for Gitlab to use them you name them gitlab.mydomain.com.crt and gitlab.mydomain.com.key - replace gitlab.mydomain.com with the URL of your server. Once you’ve done this, you just use the Cloudflare certificates and set the SSL to Full. Do not forward from Cloudflare to your server over port 80 since this traffic is then unencrypted and can in theory be intercepted and read.

Also note, if you are using the proxy (cloud enabled) feature on your DNS entries in Cloudflare for your Gitlab server, if you are using a free account, max amount of data transfer is 100MB. If any commits exceed this, then the commits will not be made. Also, Cloudflare do not like huge amounts of data being transferred via their servers. If this traffic is HTML/CSS/JS then this will be OK, if you start transfering LFS stuff like ISO Images, zip or other archive files you can potentially be blocked or forced to pay for an upgraded tier. Therefore, if you do have the cloud/proxy enabled option, I suggest you disable this, and then control access to your server via IP like you have done.

If you already have the cloud disabled and not proxied via Cloudflare, then you can ignore what I wrote :slight_smile:

1 Like