Versions Compared

Old Version 12

changes.mady.by.user Alan Prothero

Saved on

compared with

New Version Current

changes.mady.by.user Alan Prothero

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 11

...

Typical Issues that occur with this process are:

  1. The DNS entries for the Gitlab server are not configured correctly

  2. The Gitlab server is not accessible over Port 80 and 443 due to firewall configuration

  3. There are incorrect settings in the file /etc/gitlab/gitlab.rb

  4. There are incorrect permissions on the directory /var/opt/gitlab/nginx or one of its sub-directories

Diagnosis

  1. Place a small text file under /var/opt/gitlab/nginx/www/.well-known/acme-challenge/

    • E.g. echo "MettleCI is magic!" > /var/opt/gitlab/nginx/www/.well-known/acme-challenge/example.txt

  2. Try accessing this file from an external device that does not have any special privileges (e.g. with a Phone using Mobile Data connection) by accessing http://gitlab-fqdn.example.com/.well-known/acme-challenge/example.txt

  3. If this isn’t successful investigate potential DNS or firewall issues, depending on whether you receive an error telling you the site is unknown (DNS) or file is not accessible (firewall).

  4. Run a test using ‘Let’s Debug' using

...

  1. the default HTTP-01 mode.

Solution

  1. Temporarily open global access to ports 80 and 443

  2. In /etc/gitlab/gitlab.rb,

...

  1. uncomment (remove any leading #s) and set the appropriate values for the following settings:-

    Code Block
    external_url "https://gitlab-fqdn.example.com"

nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80

...

  1.

...

  1. 
letsencrypt['enable'] = true

...

  1. letsencrypt['contact_emails'] = ['admin@example.com'] # This should be an array of email addresses to add as contacts

...

  1. 
letsencrypt['group'] = 'root'

...

  1. letsencrypt['key_size'] = 2048

...

  1. letsencrypt['owner'] = 'root'

...

  1. letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'

# Note: Auto-renew left set to false 
#       since we restrict Global Port 80 and 443 Access

...

  1. letsencrypt['auto_renew'] = false

     

  2. Made sure the permissions on the directory /var/opt/gitlab/nginx are recursively set to 770:

    Image Added

  3. Ensure user uploads (like ACME challenge) are accessible:

    Code Block
     $> usermod -aG gitlab-www www-data

  4. Restart Gitlab

    Code Block
    $> gitlab-ctl reconfigure
$> gitlab-ctl restart

  5. Access https://gitlab-fqdn.example.com from a Browser and check that Certificate errors are not encountered

  6. Revoke global access to ports 80 and 443