How to secure a Gitlab server using self signed certificate
Here in this article we will how we can secure our Gitlab server by configuring it to communicate on Secure HTTPS channel. We will be generating self signed certificate and configuring our Gitlab server using the certificate and key pair and reconfigure the server.
Test Environment
Ubuntu 20.04 server
If you are interested in watching video. Here is the YouTube video on the same step by step procedure outline below.
Procedure
Step1: Generate certificate key pair for Gitlab server FQDN
As a first we will be generating the SSL cert and key file using the openssl utility and a sslcert.conf configuration file.
gitadmin@gitserver:~$ mkdir ssl
gitadmin@gitserver:~$ cd ssl/
Create ssl certificate configuration file named ‘sslcert.conf’.
gitadmin@gitserver:~/ssl$ cat sslcert.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = IN
ST = MH
L = Mumbai
O = stack
OU = devops
CN = gitserver.stack.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = gitserver.stack.com
DNS.2 = gitrunner.stack.com
Generate the SSL certificate and key file using the openssl utility.
gitadmin@gitserver:~/ssl$ openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout gitserver.stack.com.key -out gitserver.stack.com.crt -config sslcert.conf -extensions 'v3_req'
Generating a RSA private key
..+++++
..+++++
writing new private key to 'gitserver.stack.com.key'
-----
gitadmin@gitserver:~/ssl$ ls -ltr
total 12
-rw-rw-r-- 1 gitadmin gitadmin 377 Jul 6 23:12 sslcert.conf
-rw------- 1 gitadmin gitadmin 1708 Jul 6 23:13 gitserver.stack.com.key
-rw-rw-r-- 1 gitadmin gitadmin 1367 Jul 6 23:13 gitserver.stack.com.crt
Step2: Edit the external_url in /etc/gitlab/gitlab.rb
As we are trying to configure our Gitlab server to communicate on HTTPS channel, we need to update the external_url in the gitlab.rb configuration as shown below.
gitadmin@gitserver:~/ssl$ sudo cat /etc/gitlab/gitlab.rb | grep external_url
##! For more details on configuring external_url see:
external_url 'https://gitserver.stack.com'
Step3: Create the /etc/gitlab/ssl directory and copy your key and certificate
Now, let’s copy the certificate and key file to a SSL folder as shown below.
gitadmin@gitserver:~/ssl$ sudo mkdir -p /etc/gitlab/ssl
gitadmin@gitserver:~/ssl$ sudo chmod 755 /etc/gitlab/ssl
gitadmin@gitserver:~/ssl$ sudo cp gitserver.stack.com.key gitserver.stack.com.crt /etc/gitlab/ssl/
As per the FQDN of the server which is ‘gitserver.stack.com’, Omnibus GitLab will look for private key and public certificate files called /etc/gitlab/ssl/gitserver.stack.com.key and /etc/gitlab/ssl/gitserver.stack.com.crt, respectively.
Step4: Reconfigure Gitlab
We need to reconfigure our server for the necessary SSL setting changes to take effect as shown below.
gitadmin@gitserver:~/ssl$ sudo gitlab-ctl reconfigure
Starting Cinc Client, version 15.17.4
resolving cookbooks for run list: ["gitlab-ee"]
Synchronizing Cookbooks:
...
* template[/var/opt/gitlab/nginx/conf/gitlab-http.conf] action create
- update content in file /var/opt/gitlab/nginx/conf/gitlab-http.conf from 8a39d9 to 6ae17f
--- /var/opt/gitlab/nginx/conf/gitlab-http.conf 2022-06-07 18:31:01.660182311 +0530
+++ /var/opt/gitlab/nginx/conf/.chef-gitlab-http20220706-4560-1ges36c.conf 2022-07-06 23:22:16.787008127 +0530
@@ -32,7 +32,7 @@
server { ## HTTPS server
- listen *:80;
+ listen *:443 ssl http2;
server_name gitserver.stack.com;
@@ -42,7 +42,20 @@
## Or if you want to accept large git objects over http
client_max_body_size 0;
+ ## Strong SSL Security
+ ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+ ssl_certificate /etc/gitlab/ssl/gitserver.stack.com.crt;
+ ssl_certificate_key /etc/gitlab/ssl/gitserver.stack.com.key;
...
gitlab Reconfigured!
Step5: Validate the Gitlab SSL setup
We can verify if our Gitlab server is now configured with our self signed certificate by using the below openssl command which connects to our server on port 443 and fetches our self signed certificate.
gitadmin@gitserver:~/ssl$ openssl s_client -connect gitserver.stack.com:443
CONNECTED(00000003)
depth=0 C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = gitserver.stack.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = gitserver.stack.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = gitserver.stack.com
i:C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = gitserver.stack.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIUOFjVyXfZ+kfM0cJg8DKFcl21epQwDQYJKoZIhvcNAQEL
BQAwajELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAk1IMQ8wDQYDVQQHDAZNdW1iYWkx
DjAMBgNVBAoMBXN0YWNrMQ8wDQYDVQQLDAZkZXZvcHMxHDAaBgNVBAMME2dpdHNl
cnZlci5zdGFjay5jb20wHhcNMjIwNzA2MTc0MzA4WhcNMjQwNzA1MTc0MzA4WjBq
MQswCQYDVQQGEwJJTjELMAkGA1UECAwCTUgxDzANBgNVBAcMBk11bWJhaTEOMAwG
A1UECgwFc3RhY2sxDzANBgNVBAsMBmRldm9wczEcMBoGA1UEAwwTZ2l0c2VydmVy
LnN0YWNrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALdgNrvE
jhbZiMV2qVqDyPRg0CmBOFiHxbDkh/cWJATJorZfB1LuG62RE956XBNM4Na4eKqJ
M8Ut/rYvzMWDLyO0xqcuzRfIdWN3XfWKprpqSspQ8PuYGBXit1uPVyhs0JrIuvcg
VJkztsbbW+4zpQ5i3PtV4Xi4+U3tzQCg/r5/lMZIq4t7712ajZZU2h6FVDCyij4D
REkiUlBqoD4FdOdd03F3yRT9CiAdNfdilWZQy2oQUulysCC0iE6dsAe1W9crQC7L
bvbTKEOPK91WMkh/I7766NlCQEbfz1HPqnKpDxbmDzkYlFxB23uk1R6aFUtlnZ3y
7tMjn8CRq/vzPNMCAwEAAaNjMGEwCwYDVR0PBAQDAgQwMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAzBgNVHREELDAqghNnaXRzZXJ2ZXIuc3RhY2suY29t
ghNnaXRydW5uZXIuc3RhY2suY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBWGq8McDUp
zs/OdBiYGW5qaHJETdKfkA5zz/LlMyHGRndzMIt7dmCjTJ+cJrmyrXMaRIdpOyaO
S8q8WDF9YgPiz7ETNsEe3SzFcXbVU0N54aBSZO5f3VK10LOTnNYhLWBLXnNH9pFX
8O3eQyVlJz3zRdw2glIHoKInserTc+be3KjMnYhktd3zFNBBdb20DzzYA1VZoeX2
r8shKfnGWlpPGyprwyKGNclNi1yUzJXuXwl0foBBZ76MYot7QefJEGleVFjOyHiB
22sIHAXU9KWfbQAKmF1cCusmhsc1K26gxuBWOFLYUGa/HR0etKsRF8s8tR5X4kYU
MzpBrJD3aNTz
-----END CERTIFICATE-----
...
You may also verify it by browsing the below Gitlab portal URL.
URL – https://gitserver.stack.com/users/sign_in
Hope you enjoyed reading this article. Thank you..
Leave a Reply
You must be logged in to post a comment.