Installare GitLab in Debian 8 con certificato Let’s Encrypt

Da utente root:

su -

apt-get update && apt-get install curl

Installo certbot

echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list

apt-get update && apt-get install certbot -t jessie-backports

Creo il file di configurazione di letsencrypt per gitlab.(cambiare gitlab.yourdomain.com con il nome del vostro sito e your@email.com con il vostro indirizzo email)

Il dominio mattermost.yourdomain.com serve per abilitare anche la chat inclusa in gitlab (cambiare yourdomain.com col vostro dominio)

mkdir -p /root/letsencrypt-config 
cat <<EOT >> /root/letsencrypt-config/gitlab.ini
# this is the let's Encrypt config for our gitlab instance

# use the webroot authenticator. 
 authenticator = webroot
# the following path needs to be served by our webserver
# to validate our domains
 webroot-path = /var/www/letsencrypt

# generate certificates for the specified domains.
domains = gitlab.yourdomain.com, mattermost.yourdomain.com

# register certs with the following email address
email = your@email.com

# use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
EOT

Creo una cartella per la verifica del sito

mkdir -p /var/www/letsencrypt

Installo Gitlab

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | bash
apt-get install gitlab-ce

Modifico il file di configurazione di Gitlab impostando il nome del sito (cambiare gitlab.yourdomain.com con il nome del vostro sito)

vi /etc/gitlab/gitlab.rb
external_url "http://gitlab.yourdomain.com"

Per abilitare la chat mattermost modificare anche la seguente riga:

mattermost_external_url 'http://mattermost.yourdomain.com'

Aggiungo al file di configurazione delle linee per utilizzare le chiavi e per attivare l’invio della posta. Modificare opportunamente le variabili evidenziate

cat <<EOT >> /etc/gitlab/gitlab.rb
### Customize NGINX
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"

nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"

### SMTP
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.gmail.com"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "my.email@gmail.com"
gitlab_rails['smtp_password'] = "my-gmail-password"
gitlab_rails['smtp_domain'] = "smtp.gmail.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
EOT

Per configurare anche la chat Mattermost aggiungere le seguenti righe:

cat <<EOT >> /etc/gitlab/gitlab.rb
mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
mattermost['enable'] = true
mattermost['gitlab_auth_endpoint'] = "https://gitlab.yourdomain.com/oauth/authorize"
mattermost['gitlab_token_endpoint'] = "https://gitlab.yourdomain.com/oauth/token"
mattermost['gitlab_user_api_endpoint'] = "https://gitlab.yourdomain.com/api/v3/user"
mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
mattermost['email_enable_sign_up_with_email'] = true
mattermost['email_enable_sign_in_with_email'] = true
mattermost['email_enable_sign_in_with_username'] = true
mattermost['email_send_email_notifications'] = true
mattermost['email_require_email_verification'] = false
mattermost['email_smtp_username'] = "my.email@gmail.com"
mattermost['email_smtp_password'] = "my-gmail-password"
mattermost['email_smtp_server'] = "smtp.gmail.com"
mattermost['email_smtp_port'] = 587
mattermost['email_connection_security'] = "STARTTLS"
EOT

Per altre configurazioni smtp vedi: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/smtp.md

Riconfiguro GITLAB

gitlab-ctl reconfigure

Creo il certificato

certbot certonly -c /root/letsencrypt-config/gitlab.ini

Modifico la configurazione impostando https

vi /etc/gitlab/gitlab.rb
external_url "https://gitlab.yourdomain.com/"

anche per Mattermost

mattermost_external_url 'https://mattermost.yourdomain.com'

Creo uno script per l’aggiornamento del certificato

cat <<EOT >> /etc/cron.monthly/renew-ssl-certificates

#!/bin/bash

/usr/bin/certbot certonly -c /root/letsencrypt-config/gitlab.ini --renew-by-default
# or /usr/bin/certbot renew --quiet

gitlab-ctl restart
EOT

Rendo eseguibile lo script

chmod +x /etc/cron.monthly/renew-ssl-certificates

Accedo a gitlab con l’utente root (la password viene richiesta alla prima schermata)

Dall’area admin – Settings – Applications, modifico l’url dell’applicazione Mattermost da http a https

https://mattermost.yourdomain.com/signup/gitlab/complete

https://mattermost.yourdomain.com/login/gitlab/complete

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.