Setting up GitLab was pretty easy on a Raspberry PI 3. The installation process is straightforward, it only took very long time to unpack (prepare for several hours!). And once running, its a brilliant combination comparing to all those noisy servers (aka my old PCs) I should have kept running. For the most Pi uses SD card, giving an immediate access at any time of day and doesn’t need to awake and start to spin its disks.
Moving to HTTPS configuration. I have installed letsencrypt-auto successfully, created a config file with webroot authenticator and inside listed my domain. The real problem appeared, when I actually failed to pass the authentication challenge. Since I use the Synology NAS at the same domain, which occupies the port 80, the required web folder ‘/.well-known’ was unavailable. This unit I can’t just throw away, I wish to make both devices running smoothly together. Luckily Synology DSM 6.0 uses Let’s Encrypt too, so its nginx server is already preconfigured. What I did was to tweak a bit the config.
On the NAS side:
- Create shared Samba folder /volume1/acme(it might be hidden and only one user could have rights to write there)
- Make sure the path exists: /volume1/acme/letsencrypt/
- Edit /etc/nginx/nginx.conf and for location “/.well-known/acme-challenge” redefine the root from “/var/lib/letsencrypt” to “/volume1/acme/letsencrypt”
Now on the Raspberry PI
Mount the folder sudo mount -t cifs //<nas_ip>/acme /var/www/acme -o username=<user_name>,password=<password>
Retry certificate generation, it should pass this time ./letsencrypt-auto renew
Update GitLab config ("sudo vi /etc/gitlab/gitlab.rb") adding following lines into:
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default nginx['ssl_certificate'] = "/etc/letsencrypt/live/<domain>/fullchain.pem" nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/<domain>/privkey.pem"
- Finally run “gitlab-ctl reconfigure” to refresh running instance (or only “sudo gitlab-ctl restart nginx” to restart nginx, if you renew certificate 3 months later…)
To remember, try first against acme-staging servers before switching to production one to generate real certificate.