[FIXED] How do I use Let’s Encrypt with GitLab under Plesk on Subdomain?

Issue

I got GitLab up and running, but currently it doesn't use SSL. I use the Let's Encrypt Plesk Extension to get free SSL Certificates in general. This is what my setup looks like:

• Plesk v12.5.30_build1205150826.19 os_Ubuntu 14.04
• GitLab 8.8.5
• Let's Encrypt Plesk Extension v1.6 Release 1
• Plesk Subdomain: git.my-domain.com

Plesk Apache & nginx Settings for git.my-domain.com:

Additional directives for HTTP :
<Location />
    ProxyPass http://IP-of-my-domain:9999/
    ProxyPassReverse http://IP-of-my-domain:9999/
</Location>
Additional directives for HTTPS :
<Location />
     ProxyPass https://IP-of-my-domain:9998/
     ProxyPassReverse https://IP-of-my-domain:9998/
  </Location>

In my gitlab.rb file:

external_url "http://IP-of-my-domain:9999/"

I also found How do I use let’s encrypt with gitlab? and tried to adapt the answers but couldn't figure out what to put into:

nginx['custom_gitlab_server_config']="?"
nginx['custom_gitlab_mattermost_server_config']="?"

Http connection is working flawlessly (Subdomain or IP:Port, both work). As soon as I change to Https it doesn't and I get the following (also if I change external_url to port 9998):

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Additionally, a 503 Service Unavailable error was encountered while trying to use an ErrorDocument to handle the request.

Certificate was installed before the ProxyPass and https works without any problems without the ProxyPass entries (i.e. the certificate exists and is valid).

If anyone got Plesk and GitLab with Let's Encrypt up and running, I would really appreciate if you could share your configuration.

Solution

I created symlinks in /etc/gitlab/ssl to my certificates

1. subdomain.domain.tld.crt => /opt/psa/var/modules/letsencrypt/etc/archive/subdomain.domain.tld/cert1.pem

2. subdomain.domain.tld.key => /opt/psa/var/modules/letsencrypt/etc/archive/subdomain.domain.tld/privkey1.pem

In file gitlab.rb

external_url 'https://gitlab.domain.tld'
gitlab_rails['gitlab_shell_ssh_port'] = 22 
gitlab_rails['initial_shared_runners_registration_token'] = "token"
web_server['external_users'] = ['webUser']
nginx['enable'] = false  # Tutorial
nginx['redirect_http_to_https'] = true      
nginx['listen_https'] = false

In Plesk: Domain => Apache & nginx Settings => Additional nginx directives

 location ~ / {
        # for omnibus installation
        root /opt/gitlab/embedded/service/gitlab-rails/public;
        try_files $uri $uri/index.html $uri.html @gitlab;
    }

    # if a file, which is not found in the root folder is requested,
    # then the proxy pass the request to the upsteam (gitlab unicorn)
    location @gitlab {
        proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
        proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
        proxy_redirect     off;

        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   Host              $http_host;
        proxy_set_header   X-Real-IP         $remote_addr;

        proxy_pass http://gitlab;

    }

In file gitlab.conf

  upstream gitlab {
        # for omnibus installation
        server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket;
    }

Answered By - Eskaaa

Answer Checked By - Timothy Miller (PHPFixing Admin)