Phil's Notebook

Setting up Let's Encrypt on docker-gitlab

Phil Behnke -

First, let me say that Let's Encrypt is just fucking awesome. It took me all of 30 minutes to replace my old self-signed cert with a signed and trusted one. It's kind of ridiculous that it would take until 2016 for free domain validation certificates to exist, but I'm so glad it's here. There is no longer any excuse not to have a SSL/TLS protected site. Because of this, I'm going to show how to quickly install a free, trusted SSL cert on your docker-gitlab instance. And, since the certs expire every 90 days, it's also going to serve as my personal notes for how to repeat it.

The first thing to do is install the Let's Encrypt client. Since I'm running Arch Linux, it's as easy as:

sudo pacman -S letsencrypt

Now it's time to generate the cert. Since I didn't want to fuss with getting gitlab to server files from the web root, I opted to use the manual plugin for Let's Encrypt (see http://letsencrypt.readthedocs.org/en/latest/using.html#manual). Run the command:

sudo letsencrypt certonly --manual

You'll have to do a couple things when prompted. First, enter your email address and the FQDN of the domain you want to validate. After that, the manual plugin displays a few commands that you need to copy and paste into another terminal. All this does is host a simple website with the proper challenge/response to authenticate the domain you are wanting to validate. Naturally, it needs to be run on the machine that the domain points to, or you need to change the DNS record temporarily to the machine you are on. Since I have gitlab running on a non-standard port and nothing else was bound to port 80, it was easy enough to just type the commands in without having to do anything else. Once the simple web server is running, make sure you've poked a hole in your firewall and/or NAT router. Back in the letsencrypt client, press enter to allow it to check your domain. Once it's done, it will generate the cert and you can stop the simple server.

The client will put the certs in:

/etc/letsencrypt/live/

Now it's time to install the certs in the docker-gitlab instance. This basically follows the same procedure as documented in the official documentation here. The cert files need to go into the directory /home/git/data/certs inside the container. For me, the container's /home/git/data/ directory is mapped to /media/main/srv/docker/gitlab/gitlab/ by my docker config. Make sure the certs directory exists inside this volume and copy the certs in.


mkdir -p /media/main/srv/docker/gitlab/gitlab/certs
cd /media/main/srv/docker/gitlab/gitlab/certs
sudo cp /etc/letsencrypt/live/domain\_name/privkey.pem .
sudo cp /etc/letsencrypt/live/domain\_name/cert.pem .
sudo cp /etc/letsencrypt/live/domain\_name/fullchain.pem .
sudo chown phil:users *.pem

Now to get the server to send the full cert chain, do the following to create a cert bundle:

cat cert.pem fullchain.crt > gitlab.crt

The private key is just needs to be renamed (unless you change the docker config):

mv privkey.pem gitlab.key

Now just restart the gitlab containers and you're all set!

sudo docker-compose restart