## Let's Encrypt for GitLab Right now configuring SSL requires an administrator to already have certificates, place them in specific directories, and then set up `gitlab.rb` accordingly. We have an opportunity with [Let's Encrypt](https://letsencrypt.org) however to make SSL easier to use out of the box. LE offers a method for requesting widely trusted certificates in an automated way, with security through an online validation process. ### Proposed flow #### 1. Check for DNS names Check for configured DNS names within `gitlab.rb`. If DNS names have not been set, attempt to detect the DNS name. We can use cloud service provider API's like we do today with AWS, or in the event that doesn't work attempt a reverse lookup. #### 2. Validate DNS names are internet reachable Because LE requires internet connectivity to validate the DNS names (or direct control of a DNS server, which we don't have), we need to ensure the DNS names are reachable from the internet. We can achieve this by simply running a LE request to the Staging API's, which have very lax rate limits and would not count against our production usage. We should do this with a request for a single certificate with all required names (registry, etc.). Pages is not required as it will not work, as LE does not yet [support wildcard certificates](https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html) until 2018. #### 3. Request production LE certificates With validation of internet reachability through the use of the Staging API, we should have pretty strong confidence in success. Only potential issues should be rate limits, which we won't know until we try. We should also consider including the administrators email, as expiration warnings are sent as well as the option to recover the keys. For configuration, we can consider using `certbot`'s nginx plugin, which automates the API calls and adds the necessary configuration. This should also make renewal easier, as well. #### 4. Renewal We should consider a way to automate the renewal process, as the certificates expire every 90 days. #### 5. Components * GitLab Rails (https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2620) * GitLab Pages (https://gitlab.com/gitlab-org/omnibus-gitlab/issues/3342) * Registry (https://gitlab.com/gitlab-org/omnibus-gitlab/issues/3343) * Mattermost (https://gitlab.com/gitlab-org/omnibus-gitlab/issues/3344)