Steps to Use Standalone Mode with Let’s Encrypt
Stop GitLab Services Temporarily
Since standalone mode needs to bind to ports 80 and 443, you’ll need to temporarily stop GitLab services to free these ports:
sudo gitlab-ctl stop
Request the SSL Certificate in Standalone Mode
Use
certbot
in standalone mode to request certificates for bothspiffydesign.com
andregistry.spiffydesign.com
:sudo certbot certonly --standalone -d spiffydesign.com -d registry.spiffydesign.com --agree-tos -m your-email@example.com
--standalone
: Tells Certbot to temporarily run its own web server.-d spiffydesign.com -d registry.spiffydesign.com
: Specifies the domains you want to cover.--agree-tos -m your-email@example.com
: Automatically agree to terms of service and specify a contact email.
Locate the Certificates
After successfully obtaining the certificates, Certbot will save them in
/etc/letsencrypt/live/spiffydesign.com/
by default. You’ll have:/etc/letsencrypt/live/spiffydesign.com/fullchain.pem
: The certificate./etc/letsencrypt/live/spiffydesign.com/privkey.pem
: The private key.
Configure GitLab to Use the New Certificates
Update your
gitlab.rb
file to point to the new Let’s Encrypt certificates:nginx['ssl_certificate'] = "/etc/letsencrypt/live/spiffydesign.com/fullchain.pem" nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/spiffydesign.com/privkey.pem" registry_nginx['ssl_certificate'] = "/etc/letsencrypt/live/spiffydesign.com/fullchain.pem" registry_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/spiffydesign.com/privkey.pem"
Reconfigure GitLab
Run the GitLab reconfiguration to apply the changes:
sudo gitlab-ctl reconfigure
Restart GitLab Services
Finally, start GitLab services back up:
sudo gitlab-ctl start
Automating Renewal
To automate renewal without stopping GitLab each time, consider using a custom renewal script that stops GitLab, renews the certificate, and then starts GitLab. You can set this script as a cron job.
Here’s a sample script you could set up:
#!/bin/bash
sudo gitlab-ctl stop
sudo certbot renew --standalone
sudo gitlab-ctl start
Then, set up a cron job to run this script regularly, such as monthly.
Using this standalone method should avoid the usual configuration conflicts. Let me know if this approach works better!