A Newb's Pen

Let's learn together

Enabling HTTPS for Gitlab pages using Certbot

In this guide, we will demonstrate how to configure GitLab page (served over custom domain) to use a trusted SSL certificate obtained from Let’s Encrypt. To obtain certificate from Lets’s encrypt, we will be using Certbot previously the Let’s Encrypt Client.


1: Gitlab page served over custom domain
2: Ubuntu PC with working internet connection
3: Last but not the least, Time

Download CertBot

1: clone certbot repo from github

$ git clone https://github.com/certbot/certbot.git

Obtain SSL certificate

1: Navigate to directory and run certbot client. Argument to client is your website domain name

$ cd certbot/
$ ./certbot-auto certonly -a manual -d YOURDOMAIN.com

2: You would see output like below

Requesting root privileges to run certbot...
  /home/ubuntu/.local/share/letsencrypt/bin/letsencrypt certonly -a manual -d YOURDOMAIN.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for YOURDOMAIN.com

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you\'re running certbot in manual mode on a machine that is not
your server, please ensure you\'re okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: Y

Create a file containing just this data:


And make it available on your web server at this URL:


Press Enter to Continue

3: Now, Add a file named c5uJanKWoIU03m5AAd7HSvcZ7LX_-zlZIj3l768N-oU with content c5uJanKWoIU03m5AAd7HSvcZ7LX_-zlZIj3l768N-oU.LeD3Fxv4_XCOs85jzFiYE7yPUr0JLz2c_cYJN1-zSOE, so that it is accessible at http://YOURDOMAIN.com/.well-known/acme-challenge/c5uJanKWoIU03m5AAd7HSvcZ7LX_-zlZIj3l768N-oU.
Note : Please replace content above with your generated content

4: [Optional Hint] if you are using dynamic site generation system like hexo, you can also add snippet similar to below to .gitlab-ci.yml.

$ cd public
$ mkdir -p .well-known/acme-challenge
$ cd .well-known/acme-challenge/
$ echo 'c5uJanKWoIU03m5AAd7HSvcZ7LX_-zlZIj3l768N-oU.LeD3Fxv4_XCOs85jzFiYE7yPUr0JLz2c_cYJN1-zSOE' > c5uJanKWoIU03m5AAd7HSvcZ7LX_-zlZIj3l768N-oU

5: verify that file is accessible at required address using curl in different console

$curl http://YOURDOMAIN.com/.well-known/acme-challenge/c5uJanKWoIU03m5AAd7HSvcZ7LX_-zlZIj3l768N-oU

     you should see output like below. If not, something is wrong

$ curl http://YOURDOMAIN.com/.well-known/acme-challenge/c5uJanKWoIU03m5AAd7HSvcZ7LX_-zlZIj3l768N-oU

6: Now return to previous console and press Enter. you should see output :

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

7: If you passed last step, Your SSL certificate is ready.
8: visit gitlab > settings > pages and readd domain. This time add fullchain.pem in Certificate(PEM) field and privkey.pem in Key(PEM) field.
9: Hit enter and you are good to go. See your web page being served at : https://YOURDOMAIN.com just like mine : https://mkkhedawat.com