Provide basic ACME webroot support (!1477) · Merge requests · GitLab.org / omnibus-gitlab

The source project of this merge request has been removed.

Ghost User requested to merge (removed):basic-acme-webroot into master Apr 12, 2017

If you want to use Let's Encrypt certificates, you have to pass a challenge. Most users will choose http-01 because the renewal process is easy and everything will be done on the webserver. For http-01 you need an HTTP server on port 80, which is the HTTP to HTTPS redirect server of gitlab. You have to modify the nginx configuration to use webroot/http-01.

This MR makes it possible to use the webroot method for gitlab and registry nginx!

How it works

First you have to enable both redirection server blocks with:

nginx['redirect_http_to_https'] = true
registry_nginx['redirect_http_to_https'] = true

In addition to that one has to insert a custom config line into these blocks with the (new) options ['redirect_http_to_https_custom_config']:

nginx['redirect_http_to_https_custom_config'] = "location ^~ /.well-known { alias /srv/www/.certbot/.well-known; }"
registry_nginx['redirect_http_to_https_custom_config'] = "location ^~ /.well-known { alias /srv/www/.certbot/.well-known; }"

(/srv/www/.certbot is the path which is used as webroot in ACME clients.)

Now you should be able to create your certificates with an ACME client (like certbot).

What is missing

One has to write a documentation which may be a bit longer than such a short summary.

Fixes #2221 (closed)

Provide basic ACME webroot support

How it works

What is missing

Merge request reports