2

I have had an existing GitLab installation for a few months, and I decided it was time to add a real SSL certificate (not self-signed).

Following the documentation, I change the following line:

external_url 'http://<domain>.com'

to:

external_url 'https://<domain>.com'

And uncommented the following lines:

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt"
nginx['ssl_certificate_key'] "/etc/gitlab/ssl/gitlab.key"

And just to be sure, I double-checked the key files:

root@host:/etc/gitlab# cat /etc/gitlab/ssl/gitlab.crt
-----BEGIN CERTIFICATE-----
...

root@host:/etc/gitlab# cat /etc/gitlab/ssl/gitlab.key
-----BEGIN PRIVATE KEY-----
...

Then I ran gitlab-ctl reconfigure, and I got a successful message at the end. However, navigating to the GitLab URL, I get an ERR_CONNECTION_REFUSED. When I comment out all the lines above and run gitlab-ctl reconfigure, everything goes back to normal on HTTP port 80.

What might cause nginx to refuse connections when I feed the configuration file two certificates and adjust the URL? Thanks!

David
  • 187

1 Answers1

2

It sounds like GitLab is not listening on 443. The redirect on 80 sends you to 443 where you get Connection Refused. The config should have a listen 443 line (see http://nginx.org/en/docs/http/configuring_https_servers.html) that allows it to receive SSL requests.

Example from the page:

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}
Jason Martin
  • 5,193