SSL Configuration Not Using Letsencrypt

How to Use GitLab
#1

The GitLab SSL Configuration is difficult to get a handle on.
It seems to be very much tailored to Letsencrypt.
https://docs.gitlab.com/omnibus/settings/ssl.html

We are using a Wildcard Certificate purchased from a CA (Entrust).

What I have found I needed to do
Disable letsencrypt in /etc/gitlab/gitlab.rb
letsencrypt['enable'] = false

Just copy my certificates to /etc/gitlab/trusted-certs
company.crt, root.crt and intermediate.crt
Then run gitlab-crt reconfigure

https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates

Don’t I have to configure it? It sees too simple. All other services I have configured for SSL has needed much more configuration.

Well I did what was suggested in the documentation, but GitLab is not accessible.
gitlab-ctl status
down: nginx: 0s, normally up, want up; run: log: (pid 4069) 4314218s

I verified all 3 certificates with
/opt/gitlab/embedded/bin/openssl x509 -in Intermediate.crt -text -noout
Got no errors on them.

I don’t have to change any og the Nginx configuration in /etc/gitlab/gitlab.rb?

# nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
# nginx['redirect_http_to_https'] = false
# nginx['redirect_http_to_https_port'] = 80

##! Most root CA's are included by default
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"

##! enable/disable 2-way SSL client authentication
# nginx['ssl_verify_client'] = "off"

##! if ssl_verify_client on, verification depth in the client certificates chain
# nginx['ssl_verify_depth'] = "1"

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
# nginx['ssl_prefer_server_ciphers'] = "on"

The nginx configuration led me to a different SSL configuation documentation.
https://docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https

That seemed to work. Now our GitLab instance is accessible through HTTPS.

The GitLab SSL Configuration documentation needs to be updated. One single page covering all options.

#2

The docs are perfectly fine. From the URL you gave:

https://docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https

specifically point 3:

mkdir /etc/gitlab/ssl
cp mycert.cert /etc/gitlab/ssl/myhostname.domain.com.crt
cp mykey.key /etc/gitlab/ssl/myhostname.domain.com.crt

obviously replacing the myhostname.domain.com with your certificate name that you are trying to use. When you restart gitlab, it uses it. Of course, the external_url in gitlab.rb much match the name of the certificate.

From what I see the docs do cover it perfectly fine. I have two gitlab-ce servers, one with letsencrypt, and one manually configured. Had you placed in /etc/gitlab/ssl instead of trusted-certs, and also had the correct filename with the cert to match the external_url, all would have been fine. Just like the docs state.

#3

Well, searching for GitLab SSL configuraton leads to a different page
https://docs.gitlab.com/omnibus/settings/ssl.html

I just happened to stumble upon the nginx one after reading the nginx configuration in gitlab.rb.
What is the first one for actually then?

#4

No idea, maybe gitlab can explain.

I know by default Gitlab attempts to use letsencrypt, so when I just searched gitlab.rb for letsencrypt to change it to false I could see that all the config relates to letsencrypt and SSL was all for fields beginning with nginx. Then heading up to the header of the nginx section in gitlab.rb you have:

################################################################################
## GitLab NGINX
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################

I basically followed that document link from the gitlab.rb file which takes you to the second link you found.

Generally all the sections in gitlab.rb have documentation links, so probably explains why I’ve never actually googled “gitlab ssl” which takes you to the first link you found.

#5

Yes, I followed the same the same directions as you did.

GitLab should fix their Google search results. Anyone looking to configure SSL on GitLab will most likely go for the first result.
The first result is Omnibus SSL Configuration, the second is NGINX Settings.
I still wonder what the first one is for, if not enabling https on GitLab.