Setting up automatic letsencrypt certs on self hosted gitlab pages

Some of the features in GitLab are unfortunately a little half backed, that said they release updates like clockwork and whats there is still really awesome. When we setup GitLab pages on our self hosted instance we really wanted to have https on all the pages instances, including tose with custom domains.

Certs for custom domains

Until gitlab has a way to do this natively, I found this great project lets-encrypt-gitlab-pages There were some issues with the package files for this when I tried to install it, however I can tell you it now works well thanks to the help of the maintainer Luc Didry (Thanks for the speedy responses to my ticket Luc). I installed it a few days ago and can report that it works quite well.

The one extra step was adding it to crontab, I chose to execute it every 30 minutes as it only updates/creates certs when required. Here is what I added to my crontab:

# Generate required custom domain certs for Gitlab Pages every 30 minutes
0,30 * * * * /opt/lepages/lepages

One little thing to be aware of, until you have enabled the pages webserver to serve over 443, none of this will work. so thats why I moved on to the next step.

Wildcard SSL certs for your internal GitLab pages domains vuia letsencrypt

First we need to generate certs for our primary pages domain, then also a wildcard so that all repos will work over https straight away, this command generates for both the primary and the wildcard in a single certificate:

sudo certbot -d [domain] -d *.[domain] --manual --preferred-challenges dns certonly

You will need to create some TXT records to be able to complete the steps in this command. Once coimpleted the output of this command will tell you the path where the certiificates were created, we will use this when updating GitLab Page configuration.

We use the omnibus install so first I had to enable pages over https, first I followed the instructions at Custom domains with TLS support, be sure to replace the [domain] and IP address with yours:

gitlab_pages['cert'] = "/etc/letsencrypt/live/[domain]/fullchain.pem"
gitlab_pages['cert_key'] = "/etc/letsencrypt/live/[domain]/privkey.pem"

gitlab_pages['external_https'] = ['']

Now the remaining step is to get the cert renewall working, this is a little more difficult as my registrar doesn't support creating TXT records via a certbot plugin, here is the star of the command that should hoprfully eventually work, I'm currently thinking I may be able to make a script that uses expect to perform the interactive steps. Once I have done this I will then be able to trigger this from crontab as well.

The updated command to do this will be:

sudo certbot -d [domain] -d *.[domain] --manual --rsa-key-size 4096 --preferred-challenges dns certonly

You can expect an update with that script once I have time to do it, but for now I need to stop regenerating certs before I get rate limited 😃

Also a huge thans to the letsencrypt team for the service they provide.

Last Updated: 11/17/2018, 11:27:41 PM