Deploy a Azure Web App using Gitlab – Part 2

So in Deploy a Azure Web App using Gitlab – Part 1 the Gitlab server was deployed and the url was changed by using an ssh connection.

In the second part I wanted to share how to implement a SSL certificate into your Gitlab server so you can have a secure connection. Please note that I bought a certificate for my sub domain. There is also documentation available on Gitlab, but I will show every step I took to accomplish this. Furthermore I came across some issues synchronizing Gitlab with my local PC. This was caused by not having the appropriate Root Certificates on the Gitlab server, however this was not explained in the Gitlab documentation.

Getting started

OK so you will need your key and .crt file. These files will be copied to Gitlab. If you enable HTTPS on your Gitlab server, Gitlab will check the /etc/gitlab/ssl/ directory for the key and certificate. This directory does not exist by default so this has to be created by running

sudo mkdir -p /etc/gitlab/ssl
sudo chmod 700 /etc/gitlab/ssl
cd /etc/gitlab/ssl/


In the directory /etc/gitlab/ssl/ the key file and .crt file will be placed. It is important that you match the name of the certificate to the host name of your site. In my case Gitlab will look for gitlab.stephanvdkruis.nl.crt and gitlab.stephanvdkruis.nl.key. So I created the files by using

touch gitlab.stephanvdkruis.nl.crt
touch gitlab.stephanvdkruis.nl.key

You can edit the files by using nano gitlab.stephanvdkruis.nl.key and gitlab.stephanvdkruis.nl.crt. Copy your private key and certificate in the designated files. Save the files

Now run

sudo gitlab-ctl reconfigure

You should now be able to visit your site at the HTTPS address. In my case this would be https://gitlab.stephanvdkruis.nl. If everything works for you we can now enable an HTTP redirect to HTTPS to ensure secure communications. This has to be done via SSH so Putty is needed again. Use the following command to get into the gitlab.rb file.

nano /etc/gitlab/gitlab.rb

Here you will need to edit 2 values. The first value you need to edit is the external_url property. We already changed this in part 1, but now we’ll have to change it to https://gitlab.stephanvdkruis.nl. The second value we’ll need to change is #nginx[‘redirect_http_to_https’] = false to nginx[‘redirect_http_to_https’] = true. Save and exit the file and run the following command.

sudo gitlab-ctl reconfigure

Since I have a COMODO certificate I also have to add the Root CA and Intermediate certificate to the Gitlab Server. These certificates were send to me when I bought the certificate. According to Gitlab you have to install them into /etc/gitlab/trusted-certs/. This directory does not yet exists so this has to be created along with the certificates. Then edit the files one by one by adding the certificate string in the file

mkdir /etc/gitlab/trusted-certs/
cd /etc/gitlab/trusted-certs/
touch AddTrustExternalCARoot.crt
touch COMODORSAAddTrustCA.crt
touch COMODORSADomainValidationSecureServerCA.crt

I also added these certificates to /etc/gitlab/ssl in order to create a chain certificate. A chain certificate is a combination of your own certificate and the COMODO certificates. This ensures that all browsers trust your Gitlab server. The order of the certificates is very important, so pay attention. To create the the chain certificate use

cat gitlab.stephanvdkruis.nl.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

Now we have a new chained certificate named ssl-bundle.crt. We need to tell Gitlab to use this certificate. This can be done in the Gitlab.rb file.

nano /etc/gitlab/gitlab.rb

In Gitlab.rb look for nginx[‘ssl_certificate’]. Here you can define the location of the chain certificate.

sudo gitlab-ctl reconfigure

Next

Right now the Gitlab server is pretty much done. Everything should be in place so that we can start deploying a web page with Azure App services. In Deploy a Azure Web App using Gitlab – Part 3 I will show how to connect Gitlab with Azure and I will deploy a simple HTML page.

If you have any questions or a comment, please feel free to leave them below.

Leave a Reply

Your email address will not be published. Required fields are marked *