Install Gitlab with Let's Encrypt Ubuntu 16.04

Firstly, add the Gitlab repository:

curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash

Update your package list:

sudo apt-get update

Next, install Gitlab Community edition:

sudo apt install gitlab-ce

The order in which these steps are performed is important in order to configure LetsEncrypt.

Add the certbot repository:

sudo add-apt-repository ppa:certbot/certbot

Press ENTER to accept the addition of the repository.

Update your package list:

sudo apt-get update

Next, install Certbot:

sudo apt-get install certbot

We are going to be using web root domain validation for Gitlab, and we'll need to setup a document root in order for the Letsencrypt validation to succeed:

sudo mkdir -p /var/www/letsencrypt

Since Gitlab uses Nginx, we'll need to insert a line in the Gitlab.rb file to instruct Nginx to serve requests for /.well-known from the web root created above.

sudo nano /etc/gitlab/gitlab.rb

Paste the following line anywhere in the gitlab.rb file, preferably under the Nginx section:

nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }"

Save and close gitlab.rb.

Apply the new changes to Gitlab by running the following command:

sudo gitlab-ctl reconfigure

Next, request a certificate from Letsencrypt with the following command:

sudo certbot certonly --webroot --webroot-path=/var/www/letsencrypt -d YOUR-DOMAIN

Notice the web root directory (/var/www/letsencrypt) and YOUR-DOMAIN.

You will be prompted to enter your email address. This is used for certificate expiration notifications.

Your new certificate should be issued and stored in:

/etc/letsencrypt/live/YOUR-DOMAIN

Next, edit the gitlab.rb config file:

nano /etc/gitlab/gitlab.rb

Change the external_url as follows:

external_url 'https://YOUR-DOMAIN'

Next, redirect HTTP to HTTPS and point Gitlab to path of the SSL certificate by changing the following lines:

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem"

Save and close the file, and reconfigure Gitlab to apply the new changes:

sudo gitlab-ctl reconfigure

You should now be able to go to http://YOUR-DOMAIN and you'll notice you'll be redirected to https://YOUR-DOMAIN

The final step is to automate the renewal of the SSL certificate by adding a line to your crontab.

sudo crontab -e

Paste the following:

00 1 * * * /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"

This will execute at 01:00 each day. Save and close the file.

Notice the --renew-hook option which will restart nginx in order to pickup the renewed certificate.

You'll now have a Gitlab server with automated Letsencrypt certifcate renewal.