Today's blog is for IT Pros and DevOps enthusiasts, needless to say backup your server and your config, plan downtime with your users and have a rollback plan. iLogix Computer Solutions will not be held accountable for any damage or losses.
This document describes the steps involved in creating or renewing an SSL certificate for a service running on Ubuntu Linux. The examples use a GoDaddy certificate and then explains how to configure GitLab to use the new certificate. The tools here use a combination of Windows and Linux tools, the document is designed to aid Windows administrators who will probably be familiar with IIS. This document is not the only method available however it is straightforward and uses a combination of GUI and CLI.
These steps can be adjusted and be used for generating a brand new certificate not just renewals. For security it is important to Rekey the certificate when they expire, if you are renewing them. This process creates a new private key. The screen shots show a standard SSL Certificate however this may not be suitable for your needs. Check the documentation for your app to be sure that you have the correct certificate.
As a prerequisite you will need a basic knowledge of Linux administration commands such as cp, mv, nano, vi etc.
Always take a backup before you make any system changes.
We start by generating a new CSR (Certificate Signing Request). The easiest way to do this for most admins is using Microsoft IIS. The example here uses IIS7 (Windows Server 2008R2) but the same applies to newer versions, the GUI and steps may be different but the same applies. IIS is available in Windows 10 and 11 so you do not have to use a server. Open IIS and go to your Server Home, top of the list on the sidebar.
Then under the feature view go into Server Certificates.
Under Actions select Create Certificate Request. Follow the wizard entering the information required. Note that this is specific to the common name (URL) and your organisation so what I have put in the examples are highly unlikely to apply to you.
Set your Bit length to something higher than the default 1024, the bit length increases the encryption strength. Use the default Microsoft SChannel.
Specify a location and name for the CSR. Click Finish.
This creates a text file with the CSR which looks like the following.
We now use this CSR to either request a new certificate or rekey an existing or renewed certificate through our certificate provider. In this example GoDaddy.
Go to your GoDaddy portal at www.godaddy.com or even https://certs.godaddy.com , under your products select SSL Certificates.
Locate your certificate and either select set-up if it is new or manage if you are rekeying it.
Expand Rekey Certificate and paste the text from the CSR file and click Save.
Click Submit all changes at the bottom of the page.
You will have to wait while the certificate provider performs some checks on domain ownership. Usually with a rekey this takes less time, if you are setting up a new certificate you may need to add some html code to your web site or add a TXT record in DNS. DNS Management is beyond the scope of this guide. When the certificate is ready you can download from the GoDaddy portal.
Click Download.
Under Server type “other” is fine to use.
This will download the certificate with a crt extension. The download includes the certificate, an intermediate certificate authority certificate in this case gd_bundle-g2-g1.crt
Copy the zip file to your IIS Server and unzip the content.
Under IIS go back to Server certificates and select Complete Certificate Request. Browse to the certificate we just rekeyed and downloaded through GoDaddy, give it a descriptive name and click OK.
Once the certificate request is completed we now have a new, renewed or rekeyed (and renewed) SSL certificate.
Right click the certificate under Server Certificates and Export it.
This exports the file in a pfx format.
Note. I have had issues extracting the key from the pfx. To get around this I have under Windows gone to start / mmc under MMC add the certificates snap-in for the local machine.
Then under personal Certificates, go to Action / All Tasks / Import and select the check box “Mark this key as exportable…”.
Then export the certificate from the Certificates MMC Snap in by right clicking the certificate and selecting All Tasks / Export. Check the radio button “Yes, export the private key”
Click Next and save your certificate, selecting the remaining default and giving the certificate a password. Be sure you make a note of and securely store the password.
We now have a certificate we can use on our Linux Server. Copy the file to your Linux Server using PuTTY , PSCP.
Or WinSCP (has a GUI). Connect over either SSH, FTPS/SFTP or even FTP and copy the PFX file you exported locally under your Linux Server file system.
Logon through SSH using an account with sudo access. Run sudo -s to get to a hash prompt, root access.
root@ftp1:/#
Go to the directory where your uploaded certificates are. Run the following command to export the private key from the PFX file we generated through Microsoft IIS. We can rename the file under Windows or using the mv command in Linux to be more descriptive if we want however pay attention to the certificate name requirements for GitLab.
Pay attention to these prompts as you will be asked to enter the password for the certificate (which we set under IIS) at least once.
root@ftp1:/# openssl pkcs12 -in ftp.certificate2018.pfx -nocerts -out ftp.certificate2018.key.pem
Now run the following command to export the certificate file from the PFX file we generated through Microsoft IIS.
root@ftp1:/# openssl pkcs12 -in ftp.certificate2018.pfx -clcerts -nokeys -out ftp.certificate2018.pem
Now finally run the following command to remove the passphrase from the private key
root@ftp1:/# openssl rsa -in ftp.certificate2018.key.pem -out ftp.certificate2018.key
We now have a certificate and private key file which we can use for a GitLab Server.
GitLab uses Lets Encrypt, however in this case it is not desirable so we will use the certificate we have just expanded.
Gitlabs places its config here: /etc/gitlab
Edit gitlab.rb and disable LetsEncrypt. If you do not do this LetsEncrypt will keep overwriting your Certificate.
Locate and set the following: letsencrypt['enable'] = false
In your gitlab.rb file set the external URL of your server here:
External_url
In the same gitlab.rb file we need to set the certificate path under NGINX.
Whatever you set as the external URL needs to be referenced in your certificate files. So if your external url is https://gitlab.domainname.com then your certificates need to be called:
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlabsvr.domainname.com.pem"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlabsvr.domainname.com.key"
Set the value for https redirection to true:
nginx['redirect_http_to_https'] = true
Finally re build your GitLab Config with the following command.
gitlab-ctl reconfigure
If there are any errors examine the out put, however these steps have been tested and work in an production environment.