Don’t I have to configure it? It sees too simple. All other services I have configured for SSL has needed much more configuration.
Well I did what was suggested in the documentation, but GitLab is not accessible. gitlab-ctl status down: nginx: 0s, normally up, want up; run: log: (pid 4069) 4314218s
I verified all 3 certificates with /opt/gitlab/embedded/bin/openssl x509 -in Intermediate.crt -text -noout
Got no errors on them.
I don’t have to change any og the Nginx configuration in /etc/gitlab/gitlab.rb?
# nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
# nginx['redirect_http_to_https'] = false
# nginx['redirect_http_to_https_port'] = 80
##! Most root CA's are included by default
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
##! enable/disable 2-way SSL client authentication
# nginx['ssl_verify_client'] = "off"
##! if ssl_verify_client on, verification depth in the client certificates chain
# nginx['ssl_verify_depth'] = "1"
# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
# nginx['ssl_prefer_server_ciphers'] = "on"
obviously replacing the myhostname.domain.com with your certificate name that you are trying to use. When you restart gitlab, it uses it. Of course, the external_url in gitlab.rb much match the name of the certificate.
From what I see the docs do cover it perfectly fine. I have two gitlab-ce servers, one with letsencrypt, and one manually configured. Had you placed in /etc/gitlab/ssl instead of trusted-certs, and also had the correct filename with the cert to match the external_url, all would have been fine. Just like the docs state.
I know by default Gitlab attempts to use letsencrypt, so when I just searched gitlab.rb for letsencrypt to change it to false I could see that all the config relates to letsencrypt and SSL was all for fields beginning with nginx. Then heading up to the header of the nginx section in gitlab.rb you have:
I basically followed that document link from the gitlab.rb file which takes you to the second link you found.
Generally all the sections in gitlab.rb have documentation links, so probably explains why I’ve never actually googled “gitlab ssl” which takes you to the first link you found.
Yes, I followed the same the same directions as you did.
GitLab should fix their Google search results. Anyone looking to configure SSL on GitLab will most likely go for the first result.
The first result is Omnibus SSL Configuration, the second is NGINX Settings.
I still wonder what the first one is for, if not enabling https on GitLab.