This article will go over the steps required to create a root CA certificate and a self signed certificate for installation on a gitlab linux server. Using a self signed certificate is great for a small organization or personal use where the server is on a private network. If the server is intended for public access on the open internet, then consider purchasing an SSL certificate signed by a known authority or use a free service such as Let’s Encrypt.
The root certificate will need to be installed on each device that will access the server. This is required so that the self signed certificate is trusted by your browser or whatever software is accessing the server. Here is an excellent tutorial on how to install root CA on many OS and devices
Create the root CA certificate
Follow these steps to create your own root certificate authority certificate. After generating the certificates, place the .key in a safe location such as LastPass The .key file is the private secret data that is needed when you generate new self signed certificates. The .crt file can be shared with others who need to access servers that have your self signed certificate. This is the file that will need to be installed to allow trust of the self signed certificate.
openssl genrsa -aes256 -out your_rootCA.key 4096
openssl req -x509 -new -nodes -key your_rootCA.key -sha256 -days 3650 -out your_rootCA.crt -subj '/CN=Your Root CA/C=YourCountry/ST=YourState/L=YourCity/O=Your Organization'
Create a Gitlab SSL certificate
Gitlab requires the self signed certificate file names match the hostname. In this example we use gitlab.yourdomain.com. If you do not have a domain, use the server name.
openssl req -new -nodes -out gitlab.yourdomain.com.csr -newkey rsa:4096 -keyout gitlab.yourdomain.com.key -subj '/CN=Gitlab Server/C=YourCountry/ST=YourState/L=YourCity/O=Your Organization'
Next you will need to create a v3 ext file for SAN properties. This will allow you to apply multiple names such as the server name and domain name along with the static IP address of the server.
cat > gitlab.v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourserver.local
DNS.2 = gitlab.yourdomain.com
IP.1 = 192.168.1.100
EOF
Next create the server certificate using the v3 ext file. In this example, we set the maximum of 825 days to expiration. If you set this to a higher number, you will run into issues on the Mac operating system due to security constraints.
openssl x509 -req -in gitlab.yourdomain.com.csr -CA your_rootCA.crt -CAkey your_rootCA.key -CAcreateserial -out gitlab.yourdomain.com.crt -days 825 -sha256 -extfile gitlab.v3.ext
Configure GitLab
Now that the server SSL certificates are generated, you can install them on GitLab with a few steps.
Set the external_url to your domain. Note the https in the URL:
external_url "https://gitlab.example.com"
sudo mkdir -p /etc/gitlab/ssl
sudo chmod 755 /etc/gitlab/ssl
sudo cp gitlab.yourdomain.com.key gitlab.yourdomain.com.crt /etc/gitlab/ssl/
sudo gitlab-ctl reconfigure
Updating Git checkouts
Now that you have configured GitLab to use https, it will no longer serve over http. If you have local checkouts using the http repository origin, you will need to update them all manually to be https.
git remote set-url origin https://gitlab.yourdomain.com/yourproject.git
Troubleshooting
If you run into trouble, you can use this command to see the contents of the certificates along with possible error messages.
echo Q | openssl s_client -showcerts -verify 5 -connect gitlab.yourdomain.com:443
If you see this message:
Verify return code: 21 (unable to verify the first certificate)
It means that you need to install the root CA certificate on the device you ran this troubleshooting command on. Check the guide linked at the top of this article for how to do this on a number of platforms. If you happen to be on a linux server you can run these commands to install the root CA.
openssl x509 -in your_rootCA.crt -out your_rootCA.pem -outform PEM
sudo mv your_rootCA.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust