SSL on standard GitLab image

June 20, 2014 15.1k views
Hi, I just started out with a GitLab Droplet based on the ready provide image available. Everything is running pretty smooth except I seem to be unable to get SSL working. I am following the guide I found here: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md To setup https. It seems all goes well until I try to connect to my url at http: or https: after the updates have been made. I just get a failed to open page message. I checked on the server with "nmap localhost" and indeed when I change the config url to https://mydomain.com/ instead of http://mydomain.com/ that both port 80 and port 443 are not open. As long as the config says http://mydomain.com/ port 80 opens fine and connections through http can be made without problems. Could anyone point me in the right direction on what I should do to get ssl working? Thanks in advance. - Mark
7 Answers

Hi friend.

I have the same problem, until I read the official document here:
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md

note the 'https' below

external_url "https://gitlab.example.com"

If there line is http, gitlab will not use https at all, without any warning T_T....

I just ran through it and was able to make https work. Could you post your /etc/gitlab/gitlab.rb file? It should contain:
external_url "https://gitlab.example.com"
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key"
Make sure to remember to run gitlab-ctl reconfigure after change the contents of the file. Also check the contents of /var/opt/gitlab/nginx/etc/gitlab-http.conf This is the Nginx configuration that is autogenerated. Is there a server block with listen *:443 in it? You can also run gitlab-ctl start just to make sure that all the components are up and running.
Hi astarr, Thanks for your input. I do have exactly these lines in the config file exactly in the same way you posted them as well only, of course, my external_url is specified as my own custom url. I run reconfigure once I save the config file and also the nginx configuration files does contain the line where it should listen to port 443. However when all this is done and when I check nmap localhost both port 80 and 443 are closed. Once I rewrite the config with a normal http instead of https domain and run reconfigure, port 80 opens up again and the system becomes available again on a normal non https url. - Mark
  • Have you setup your any firewalling on your own? From the droplet, what's the output of:
    <pre>
    sudo netstat -plunt
    </pre>

No, I have not done any additional firewall stuff cause my knowledge at this moment is way to limited for that I would say...

The output of the command you mentioned is:

<pre>
mark@code:~$ sudo netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 871/postgres

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1079/master

tcp 0 0 0.0.0.0:1338 0.0.0.0:* LISTEN 920/sshd

tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 863/redis-server 12
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 15227/config.ru
tcp6 0 0 :::25 :::* LISTEN 1079/master

tcp6 0 0 :::1338 :::* LISTEN 920/sshd
</pre>

  • So the web server doesn't seem to be running at all... What does <code>gitlab-ctl status nginx</code> have to say?

  • That's saying: warning: nginx: unable to open supervise/ok: access denied

Would there be anyone who would be able to point me in the right direction, I am still having no luck with this issue.

Any help would be much appreciated.

Thanks!

Hi,
Is your certificate encrypted with passphrase? Check your nginx logs: /var/log/gitlab/nginx/*
If you find something like this:

2014-07-31_10:21:02.65460 nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/gitlab/ssl/gitlab.key") failed (SSL: error:0906406D:PEM routines:PEM_def_callba
ck:problems getting password error:0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
2014-07-31_10:21:03.69148 Enter PEM pass phrase:

You can use this command to remove passphrase:

openssl rsa -in server.key.org -out server.key
  • Thanks so much!

    Your answer pointed me in the right direction to the logs after which I got it working indeed!

I seem to have it working for the most part, but the gravatar images keep being loaded via http instead of https.

  • Try clearing your browser's cache or even using another browser, old content being cached is usually the case.

    Are you using the one-click application image or did you install GitLab yourself?

Have another answer? Share your knowledge.