Firstly, add the Gitlab repository:
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
Update your package list:
sudo apt-get update
Next, install Gitlab Community edition:
sudo apt install gitlab-ce
The order in which these steps are performed is important in order to configure LetsEncrypt.
Add the certbot repository:
sudo add-apt-repository ppa:certbot/certbot
Press ENTER to accept the addition of the repository.
Update your package list:
sudo apt-get update
Next, install Certbot:
sudo apt-get install certbot
We are going to be using web root domain validation for Gitlab, and we'll need to setup a document root in order for the Letsencrypt validation to succeed:
sudo mkdir -p /var/www/letsencrypt
Since Gitlab uses Nginx, we'll need to insert a line in the Gitlab.rb file to instruct Nginx to serve requests for /.well-known from the web root created above.
sudo nano /etc/gitlab/gitlab.rb
Paste the following line anywhere in the gitlab.rb file, preferably under the Nginx section:
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }"
Save and close gitlab.rb.
Apply the new changes to Gitlab by running the following command:
sudo gitlab-ctl reconfigure
Next, request a certificate from Letsencrypt with the following command:
sudo certbot certonly --webroot --webroot-path=/var/www/letsencrypt -d YOUR-DOMAIN
Notice the web root directory (/var/www/letsencrypt) and YOUR-DOMAIN.
You will be prompted to enter your email address. This is used for certificate expiration notifications.
Your new certificate should be issued and stored in:
/etc/letsencrypt/live/YOUR-DOMAIN
Next, edit the gitlab.rb config file:
nano /etc/gitlab/gitlab.rb
Change the external_url as follows:
external_url 'https://YOUR-DOMAIN'
Next, redirect HTTP to HTTPS and point Gitlab to path of the SSL certificate by changing the following lines:
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem"
Save and close the file, and reconfigure Gitlab to apply the new changes:
sudo gitlab-ctl reconfigure
You should now be able to go to http://YOUR-DOMAIN and you'll notice you'll be redirected to https://YOUR-DOMAIN
The final step is to automate the renewal of the SSL certificate by adding a line to your crontab.
sudo crontab -e
Paste the following:
00 1 * * * /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"
This will execute at 01:00 each day. Save and close the file.
Notice the –renew-hook option which will restart nginx in order to pickup the renewed certificate.
You'll now have a Gitlab server with automated Letsencrypt certifcate renewal.