...
Typical Issues that occur with this process are:
The DNS entries for the Gitlab server are not configured correctly
The Gitlab server is not accessible over Port 80 and 443 due to firewall configuration
There are incorrect settings in the file
/etc/gitlab/gitlab.rb
There are incorrect permissions on the directory
/var/opt/gitlab/nginx
or one of its sub-directories
Diagnosis
Place a small text file under
/var/opt/gitlab/nginx/www/.well-known/acme-challenge/
E.g.
echo "MettleCI is magic!" > /var/opt/gitlab/nginx/www/.well-known/acme-challenge/example.txt
Try accessing this file from an external device that does not have any special privileges (e.g. with a Phone using Mobile Data connection) by accessing
http://gitlab-fqdn.example.com/.well-known/acme-challenge/example.txt
If this isn’t successful investigate potential DNS or firewall issues, depending on whether you receive an error telling you the site is unknown (DNS) or file is not accessible (firewall).
Run a test using ‘Let’s Debug' using
...
the default
HTTP-01
mode.
Solution
Temporarily open global access to ports 80 and 443
In
/etc/gitlab/gitlab.rb
,
...
uncomment (remove any leading #s) and set the appropriate values for the following settings:-
Code Block external_url "https://gitlab-fqdn.example.com" nginx['redirect_http_to_https'] = true nginx['redirect_http_to_https_port'] = 80
...
...
letsencrypt['enable'] = true
...
letsencrypt['contact_emails'] = ['admin@example.com'] # This should be an array of email addresses to add as contacts
...
letsencrypt['group'] = 'root'
...
letsencrypt['key_size'] = 2048
...
letsencrypt['owner'] = 'root'
...
letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www' # Note: Auto-renew left set to false # since we restrict Global Port 80 and 443 Access
...
letsencrypt['auto_renew'] = false
Made sure the permissions on the directory
/var/opt/gitlab/nginx
are recursively set to770
:Ensure user uploads (like ACME challenge) are accessible:
Code Block $> usermod -aG gitlab-www www-data
Restart Gitlab
Code Block $> gitlab-ctl reconfigure $> gitlab-ctl restart
Access
https://gitlab-fqdn.example.com
from a Browser and check that Certificate errors are not encounteredRevoke global access to ports 80 and 443