Need Assistance in Configuring SSL for Gitlab

Hello Gitlab Community and Happy New Year. I am in need of assistance with configuring SSL for Gitlab on my Linux machine. I am not looking to use “Let’s Encrypt” for this task, but instead I am looking to configure HTTPS manually.

Based on the instruction provided here, I am looking to copy and paste my key and certificate in the “/etc/gitlab/ssl” location. However, how would I go about creating the .key file for gitlab? I already have a .cer file that was provided to me when I requested a .cer file from my PKI team for another application that is on the same server.

Thank You.

Get your PKI team to give you the key for when they generated the certificate.

1 Like

Hello @iwalker , thanks for the reply back. Can I use Java Keystores for SSL configuration for gitlab? I don’t see mention of Java KeyStores in the gitlab docs. Most apps can use Java KeyStores (JKS) for SSL settings, but rarely some need to just point to the cert itself that resides in the .JKS

No, Gitlab uses PEM certificates. Gitlab is not a java application. Java Keystores can only be used with Java applications.

All covered in Gitlab documentation: Configure SSL for a Linux package installation | GitLab

1 Like

@iwalker , is it possible to convert the .JKS I have into a .PEM file in order for it to be accepted for this configuration process?

You tried google?

https://www.google.com/search?q=convert+jks+to+pem&uact=5

If it doesn’t work, ask your PKI team to give you a certificate and key in the correct format.

1 Like

On my instance, this file “«REDACTED»/embedded/ssl/certs/README” says

This directory is managed by omnibus-gitlab.
Any file placed in this directory will be ignored
. Place certificates in /etc/gitlab/trusted-certs.

I put my enterprise cert files (Root and intermediate chain(s), cert, private key) in that folder and run gitlab-ctl reconfigure so it picks them up. That creates symlinks to the cert files.

So I finished with creating the .pem file that includes first the private key (.key), primary ssl certificate domain (.crt), 2 intermediate certificates (.crt), and the root certificate last (.crt). I also went ahead and edit the #ngix script on /etc/gitlab/gitlab.rb to this:

nginx[‘ssl_certificate’] = “/etc/gitlab/trusted-certs/gitlab1.pem”
nginx[‘ssl_certificate_key’] = “/etc/gitlab/trusted-certs/gitlab1.pem”

Once I completed this, I then used gitlab-ctl start to start the program and then opened new windows and inputted the https address. However, it still comes out as an unsecured/not secured page. How can I fix this issue?

If it’s still unsecured, or not trusted by the web browser, this means one of two things.

  1. Incorrect order when combining the certificate, intermediate and CA certificates.
  2. If certificate is generated by an internal CA - the CA certificate needs importing to the browser.

This is not a Gitlab problem now, this is the problem with one of the items above. Once that has been resolved the problem will no longer be seen within the browser.

1 Like