SSL on Gitlab

category:

all posts
culture
design
engineering
project

Tags:

1445
aarhus
academia
art
art and technology
artificial intelligence
artistic research
artwork
blog
borders
certificate
client side
collaboration
cultural criticism
culture
design
devops
digital humanities
digital rights
digital scenography
docker
feral
future memory
gitlab
hosting
interdisciplinary
internet
internet of things
ios
jekyll
loss
manifesto
medium
memory
morm
music
notification
pdf
performance
react
research
resist
scripting
shell
skeuomorphism
software
ssl
switzerland
tactical media
television
theatre
transdisciplinarity
November 01, 2018
Auto-renewing SSL Certificates with Gitlab Pages

Note: Scroll down if you just want the .gitlab.ci-yml files
If you know a better way to do this, please send me a note on twitter or let me know in the comments on either of the gists below, I would appreciate it!

Did you find this helpful or interesting? I'm glad! 🦊 💜 ☕️
Buy Me a Coffee at ko-fi.com
Why?

The Problem

I have way too many websites. Lately I've been moving to Jekyll as a platform of choice for my own personal sites that need frequent updating (the site you're reading now is Jekyll based). Still, in addition to these sites I have a few HTML-only sites, and typically I'll also create a Wordpress site for every project or class I work on, because it's far easier for my students to have a login and edit than try and teach them all Git and Jekyll.

Up until now I've been using Dreamhost as a hosting provider. I highly recommend them, but it gets unwieldy to maintain dozens of sites, and nobody needs to access the backend of those WordPress sites after the classes end, so why keep updating and maintaining them when they could be archived to static?

Enter GitLab

Lately I've been digging into GitLab, the newest of the three big code-repository hosting services. In the past, I've used mainly Bitbucket, because of the fact that most of my projects are not public or open source, and Bitbucket provides unlimited free private repos.

GitLab offers unlimited public repos also, but the killer feature is that on top of best in class repository hosting they provide a suite of insanely useful dev-ops tools at no cost. At the heart of this is a flexible, docker-based CI system which can be configured to build, test and deploy your code. In addition, GitLab allows you to schedule these pipelines and run them with various docker images depending on your needs. This means you can have tasks run on a schedule, when you check in your code, or any combination of these things.

These tools are so flexible and powerful that I initially found it difficult to get a handle on where to start and how to get things done. I've also barely scratched the surface of what's possible, but after a week I have moved all of my 15+ static websites to GitLab, and for good measure have secured them using SSL provided by Let's Encrypt. To complete the picture, I've configured GitLab to auto-renew their certificates so I don't need to deal with that myself.

Just set... and Forget!

All of this works because of the magical fact that if you have a certain file in your repository (namely .gitlab.ci-yml), and you commit your code, then GitLab will pick this file up and use it to process the code per the instructions in the file. I've provided two such files below, which I use for Jekyll and plain HTML sites respectively.

Theory of Operation

  1. Create a pipeline for deploying your code. This process will execute when you commit code to the repository. I have provided two examples below, one for plain HTML (using rsync) and one that compiles Jekyll. These do some additional useful things: for example, the Jekyll version is configured to ensure we're using UTF8 so international characters don't get munged, and also sets up a cache to speed up repeat builds.

  2. Use gitlab-letsencrypt to generate and maintain certificates. You don't want every repository update to trigger a certificate renewal, so we use the directive 'only: -schedule' to ensure the cert_update job only runs on scheduled invocations.

  3. We set up a scheduled pipeline to renew the certificate using the GitLab UI. Certificates expire every 90 days, but there is no penalty for renewing earlier. I chose to renew once a month, but this could easily be adjusted. The scheduler uses cron format for time specifications.

Don't leak secrets!

These .gitlab.ci-yml templates are written so as not to expose any secret data, but they need to be customized and provided with a token which allows them access to write to your repository. To do this safely, we set the values up as environment variables. To use the files as-is, create the following variables in your scheduled task:

CERT_DOMAINS: example.com www.example.com  
Should be set to the certificates you want to have issued, space delimited

CERT_OPTIONS: --production  
Options that [gitlab-letsencrypt](https://www.npmjs.com/package/gitlab-letsencrypt) supports. --production issues a real certificate, which is what you want, but while setting it up you might want to leave this option blank, which will not count towards your certificate quota while you're debugging your setup.

CERT_TOKEN: XXXXXXXXXXX  
GitLab personal access token. [Generate yours here](https://gitlab.com/profile/personal_access_tokens).

Tips

For Jekyll Sites

For Static Sites

Did you find this helpful or interesting? I'm glad! 🦊 💜 ☕️
Buy Me a Coffee at ko-fi.com
Why?