Standalone Mode – for when let’s encrypt is being a dick!

/ SprUng, KEEPERS, CODE-NOW-NOW-NOW, CODING, CHEAT SHEETS, SECURITY, SITE / 2 minutes of reading

 

Steps to Use Standalone Mode with Let’s Encrypt

  1. Stop GitLab Services Temporarily

    Since standalone mode needs to bind to ports 80 and 443, you’ll need to temporarily stop GitLab services to free these ports:

    
sudo gitlab-ctl stop

  2. Request the SSL Certificate in Standalone Mode

    Use certbot in standalone mode to request certificates for both spiffydesign.com and registry.spiffydesign.com:

    
sudo certbot certonly --standalone -d spiffydesign.com -d registry.spiffydesign.com --agree-tos -m your-email@example.com
    • --standalone: Tells Certbot to temporarily run its own web server.
    • -d spiffydesign.com -d registry.spiffydesign.com: Specifies the domains you want to cover.
    • --agree-tos -m your-email@example.com: Automatically agree to terms of service and specify a contact email.

  3. Locate the Certificates

    After successfully obtaining the certificates, Certbot will save them in /etc/letsencrypt/live/spiffydesign.com/ by default. You’ll have:

    • /etc/letsencrypt/live/spiffydesign.com/fullchain.pem: The certificate.
    • /etc/letsencrypt/live/spiffydesign.com/privkey.pem: The private key.

  4. Configure GitLab to Use the New Certificates

    Update your gitlab.rb file to point to the new Let’s Encrypt certificates:

    
nginx['ssl_certificate'] = "/etc/letsencrypt/live/spiffydesign.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/spiffydesign.com/privkey.pem"

registry_nginx['ssl_certificate'] = "/etc/letsencrypt/live/spiffydesign.com/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/spiffydesign.com/privkey.pem"

  5. Reconfigure GitLab

    Run the GitLab reconfiguration to apply the changes:

    
sudo gitlab-ctl reconfigure

  6. Restart GitLab Services

    Finally, start GitLab services back up:

    
sudo gitlab-ctl start

Automating Renewal

To automate renewal without stopping GitLab each time, consider using a custom renewal script that stops GitLab, renews the certificate, and then starts GitLab. You can set this script as a cron job.

Here’s a sample script you could set up:


#!/bin/bash
sudo gitlab-ctl stop
sudo certbot renew --standalone
sudo gitlab-ctl start

Then, set up a cron job to run this script regularly, such as monthly.

Using this standalone method should avoid the usual configuration conflicts. Let me know if this approach works better!

Scroll to Top