2020/08/08

Gitlab + letsencrypt + Private network

Requirements

This blog requires you to have following items:
  • Gitlab server
  • TLS from let’s encrypt
  • Private network, which outside world cannot reach directly
  • You own a public domain name
If your gitlab server is reachable from outside world, you can reference manual here for setup let’s encrypt.
For poor souls like me, stay tune, and keep reading.

What is let’s encrypt

For detail, please read their website yourself. To me, it is a service for me to have a valid TLS certificate but free of charge.

Gitlab server + letsencrypt

According to my experiments, till Gitlab 12.9.2, Gitlab does not support requesting certificate via DNS challenge. So, you can just disable the let’s encrypt configuration provided by gitlab if your gitlab server is not public at all.
Surprisingly, we can still benefits from let’s encrypt since it will still offer you a TLS certificate, and private key, even though you need to do the verification every 3 months.
In other words, once you have certificate, and private key, you should configure your gitlab to read them as if you are using traditional TLS certificate, which bought from some vendors.

Request certificate from letsencrypt via certbot

Firstly, you should get a certbot by following let’s encrypt manual here in your gitlab server host.
Then, you can run following command to request a certificate from letsencrypt with DNS challenge for verifications.
certbot -d YOUR_GITLAB_SERVER_DOMAIN_NAME --manual --preferred-challenges dns certonly
Follow instructions there, you will finally have a DNS challenge string. Setup a TXT record with that DNS challenge string in your public DNS.
Below is a picture I capture from Google to illustrate the txt record setup.
Once you have complete the DNS challenge, you should get a certificate, and private key as stated in the command output. Personally, I suggest you to write down those important notes generated into a file for future reference.

Configure gitlab server to read certificate from gitlab server

By default, you should have following default configurations in /etc/gitlab/gitlab.rb
# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
You can overwrite them with value you like. For me, I just stick to the default configuration. Therefore, I copy the certificate, and private key to the destination above.
It is worth to point out that you should name your certificate as YOUR_DOMAIN_NAME.crt, and private key as YOUR_DOMAIN_NAME.key if your are using default configuration like mine.
Finally, you can restart your gitlab server, and checkout your new certificate by reading them in your browser.

沒有留言:

張貼留言