SSL on standard GitLab image

June 20, 2014 12.1k views
Hi, I just started out with a GitLab Droplet based on the ready provide image available. Everything is running pretty smooth except I seem to be unable to get SSL working. I am following the guide I found here: To setup https. It seems all goes well until I try to connect to my url at http: or https: after the updates have been made. I just get a failed to open page message. I checked on the server with "nmap localhost" and indeed when I change the config url to instead of that both port 80 and port 443 are not open. As long as the config says port 80 opens fine and connections through http can be made without problems. Could anyone point me in the right direction on what I should do to get ssl working? Thanks in advance. - Mark
7 Answers

Hi friend.

I have the same problem, until I read the official document here:

note the 'https' below

external_url ""

If there line is http, gitlab will not use https at all, without any warning T_T....

I just ran through it and was able to make https work. Could you post your /etc/gitlab/gitlab.rb file? It should contain:
external_url ""
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key"
Make sure to remember to run gitlab-ctl reconfigure after change the contents of the file. Also check the contents of /var/opt/gitlab/nginx/etc/gitlab-http.conf This is the Nginx configuration that is autogenerated. Is there a server block with listen *:443 in it? You can also run gitlab-ctl start just to make sure that all the components are up and running.
Hi astarr, Thanks for your input. I do have exactly these lines in the config file exactly in the same way you posted them as well only, of course, my external_url is specified as my own custom url. I run reconfigure once I save the config file and also the nginx configuration files does contain the line where it should listen to port 443. However when all this is done and when I check nmap localhost both port 80 and 443 are closed. Once I rewrite the config with a normal http instead of https domain and run reconfigure, port 80 opens up again and the system becomes available again on a normal non https url. - Mark
  • Have you setup your any firewalling on your own? From the droplet, what's the output of:
    sudo netstat -plunt

No, I have not done any additional firewall stuff cause my knowledge at this moment is way to limited for that I would say...

The output of the command you mentioned is:

mark@code:~$ sudo netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0* LISTEN 871/postgres

tcp 0 0* LISTEN 1079/master

tcp 0 0* LISTEN 920/sshd

tcp 0 0* LISTEN 863/redis-server 12
tcp 0 0* LISTEN 15227/
tcp6 0 0 :::25 :::* LISTEN 1079/master

tcp6 0 0 :::1338 :::* LISTEN 920/sshd

  • So the web server doesn't seem to be running at all... What does <code>gitlab-ctl status nginx</code> have to say?

  • That's saying: warning: nginx: unable to open supervise/ok: access denied

Would there be anyone who would be able to point me in the right direction, I am still having no luck with this issue.

Any help would be much appreciated.


Is your certificate encrypted with passphrase? Check your nginx logs: /var/log/gitlab/nginx/*
If you find something like this:

2014-07-31_10:21:02.65460 nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/gitlab/ssl/gitlab.key") failed (SSL: error:0906406D:PEM routines:PEM_def_callba
ck:problems getting password error:0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
2014-07-31_10:21:03.69148 Enter PEM pass phrase:

You can use this command to remove passphrase:

openssl rsa -in -out server.key
  • Thanks so much!

    Your answer pointed me in the right direction to the logs after which I got it working indeed!

I seem to have it working for the most part, but the gravatar images keep being loaded via http instead of https.

  • Try clearing your browser's cache or even using another browser, old content being cached is usually the case.

    Are you using the one-click application image or did you install GitLab yourself?

Have another answer? Share your knowledge.