Setup HTTPS on your dockerized Gitlab

So I use Sameersbn’s dockerized Gitlab.

I’m not sure if this is the best way to do this, but it works, so I’m sharing it, and also as a reference for myself for future deployments.

BTW I’m working off Ubuntu 14.04 (Trusty)

First off, get the certbot

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

Also, install nginx if you haven’t.

$ sudo certbot --nginx -d example.com -d www.example.com

Be sure to change example.com to your domain name.

Fill in the prompts, and at the end your certificate path will be printed out

/etc/letsencrypt/live/yourdomain/fullchain.pem

The previous command startsup the Ubuntu installed nginx, so you may want to turn it off using

$ service nginx stop

Now, I use the following script to generate the certificate for Gitlab:

<br />#!/bin/bash

# This script updates the certificate for Gitlab with
# the (hopefully) renewed Let's Encrypt Certificate
# We need to do this because the Let's Encrypt Certificates
# are only valid for 3 months at a time, and Synology (tries to) renews it
# every month
# Refer to https://chpresearch.wordpress.com/2016/10/04/synology-gitlab-setup-ssl-over-lets-encrypt/

PATH_TO_SYNOLOGY_CERTIFICATE=/etc/letsencrypt/live/yourdomain/
PATH_TO_STORE_GITLAB_CERTIFICATE=/your/docker/gitlab/root/gitlab/certs

if [[ $# -eq 1 ]]; then
PATH_TO_STORE_GITLAB_CERTIFICATE=$1
fi

echo "Generating gitlab certificates to ${PATH_TO_STORE_GITLAB_CERTIFICATE}"

TMP_FILENAME=tmp_cert
FILES_REQUIRED=(fullchain.pem cert.pem privkey.pem)

for filename in ${FILES_REQUIRED[@]}
do
if [ ! -e ${PATH_TO_SYNOLOGY_CERTIFICATE}/$filename ];
then
echo "${PATH_TO_SYNOLOGY_CERTIFICATE}/$filename does not exist!"
exit 1
fi
done

echo "===Generating gitlab.crt==="
cat ${PATH_TO_SYNOLOGY_CERTIFICATE}/fullchain.pem ${PATH_TO_SYNOLOGY_CERTIFICATE}/cert.pem > ${TMP_FILENAME}.crt
cat ${TMP_FILENAME}.crt

echo "===Generating gitlab.key==="
cat ${PATH_TO_SYNOLOGY_CERTIFICATE}/privkey.pem > ${TMP_FILENAME}.key
#cat ${TMP_FILENAME}.key
echo "===Backing up existing Cert & Key==="
if [[ -f ${PATH_TO_STORE_GITLAB_CERTIFICATE}/gitlab.crt ]]; then
mv -v ${PATH_TO_STORE_GITLAB_CERTIFICATE}/gitlab.crt ${PATH_TO_STORE_GITLAB_CERTIFICATE}/gitlab.crt.backup
fi
if [[ -f ${PATH_TO_STORE_GITLAB_CERTIFICATE}/gitlab.key ]]; then
mv -v ${PATH_TO_STORE_GITLAB_CERTIFICATE}/gitlab.key ${PATH_TO_STORE_GITLAB_CERTIFICATE}/gitlab.key.backup
fi

echo "===Overwritting Existing Cert & Key==="
mv -v ${TMP_FILENAME}.crt ${PATH_TO_STORE_GITLAB_CERTIFICATE}/gitlab.crt
mv -v ${TMP_FILENAME}.key ${PATH_TO_STORE_GITLAB_CERTIFICATE}/gitlab.key

echo "Done"

Run the script, (I put the script in /your/docker/gitlab/root//certs directory and executed it from there)

Also, you need to generate the DHE parameters. Goto /your/docker/gitlab/root/gitlab/certs directory, and execute the following command

$ openssl dhparam <a href="http://security.stackexchange.com/a/95184" target="_blank" rel="noopener">-dsaparam </a>-out dhparam.pem 2048

Now setup your docker-compose to use HTTPS and not run with self-signed certificates. You should be up and running