Let's Encrypt SSL certificate for GitLab with Docker on Synology
If you use DSM 6.1 on a Synology NAS, then requesting an SSL certificate from Let's Encrypt is very easy. But this certificate will only be used by Synology-apps like Audio- or Video Station. The goal of this post is to show you how you can use this same certificate with the ready-to-use GitLab Docker-image which is based on this GitHub repository.
Prerequisites
- Synology NAS with DSM 6.1
- GitLab package installed
- Working SSL certificate installed
- Working SSH connection to the NAS
(Check out this post for how to establish a secure ssh connection to your Synology NAS.)
1. Locate the certificate in the filesystem
DSM 6.1 stores all SSL certificates that are added via the web-interface here:
/usr/syno/etc/certificate/_archive/
This folder is only accessible as root, so you will need to sudo su at some point to be able to list the contents. For each certificate there is a sub folder. The folders are not named after the certificate - they have some random alphanumeric name. This means your first task is to figure out which folder belongs to the certificate you want to re-use. In my case of a Let's Encrypt certificate, there is a file called renew.json which contains the name of the domain. If you don't have such a file you will need to look at the details of the certificate itself by running openssl x509 -in cert.pem -text -noout.
2. Stop GitLab package
If you haven't done it already then stop the GitLab package now. Do not try to stop it from the Docker UI - use the 'Stop' button in the Package Center:
3. Copy certificates and generate dhparam.pem
This step is almost identically described in the README of the GitHub repository, although the paths are wrong there. Best follow my instructions and ignore the README ;)
cd /<yourvolume>/docker/gitlab
Go to the filesystem of the docker container.<yourvolume>is the volume that you chose during the GitLab installation. In my case, this is namedvolume1.sudo mkdir certsandcd certs
Create the folder where the certificate and the key must go.sudo cp /usr/[...]/<your-certificate>/cert.pem ./gitlab.crt
sudo cp /usr/[...]/<your-certificate>/privkey.pem ./gitlab.key
Copy and rename the certificate and the private-key. Note: Symlinking will not work here, because the docker container has its own root once it's running. Harlinking might also be an option, but I have not tested that yet. A hardlink would be preferable because then the certificate would automatically be updated every time the Let's Encrpyt certificate is updated by DSM.openssl dhparam -out dhparam.pem 4096
Create dhparam.pem file according to the above mentioned README. Why this is done can be read here. This will take a long time (possibly hours). The more active your server is, the faster the required entropy will be generated.
4. Configure the Docker container to use https
In the DSM web-interface, open the Docker UI (use the Main Menu). You will need to add two environment variables to the synology_gitlab container. The first one will make GitLab automatically redirect http connections to https. The second one will tell GitLab to use https.
5. Change port bindings for container
GitLab expects https connections to come in via port 443. By default, the server's port 30000 is mapped to the container's port 80 for normal http connections. We will change that.
6. Restart GitLab and test the connection
Use the Package Center UI to start GitLab again and give it a few seconds. Then click on the GitLab icon in the Main Menu. This should open up a new browser tab which displays the login page of GitLab. If you check the url details, you should see a green lock and the protocol should be https.