Enable SSL on GitLab with Docker on Synology NAS

Asked 3/8, 2015 at 15:31 Answered 24/10, 2019 at 15:34

I have a working installation of GitLab via the official GitLab Package on my Synology NAS (DSM 5.2) in a Docker container.

I now like to access the Webinterface via https instead of just http. I have seen in several posts that it is possible to do with some docker magic, but did not find any detailed instructions.

Can anyone please explain how to achieve this?

It's a pity that this is not default.

Coaxial answered 3/8, 2015 at 15:31 Comment(1)

Official docs: github.com/sameersbn/docker-gitlab/blob/master/README.md#ssl – Fritillary 7/6, 2022 at 18:30

You haven't indicated which gitlab image you're using:

https://registry.hub.docker.com/search?q=gitlab

The most common container image already has instructions included with details on how to enable SSL:

https://registry.hub.docker.com/u/sameersbn/gitlab/

Tortious answered 4/8, 2015 at 1:23 Comment(2)

I use the Synology Package for GitLab which lives in a Docker Conatiner. In the Docker control panel it says the image is sameersbn/gitlab:7.9.3 – Coaxial 4/8, 2015 at 9:37

I will have a look at that instructions. Looks doable on the first sight. – Coaxial 4/8, 2015 at 10:42

With DSM6, the changes (except generation of the cert) are now possible using the dsm docker interface:

1) Create a key/cert:

mkdir /volume1/docker/gitlab/certs
cd /volume1/docker/gitlab/certs
openssl genrsa -out gitlab.key 2048
openssl req -new -key gitlab.key -out gitlab.csr
openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
openssl dhparam -out dhparam.pem 2048
chmod 400 gitlab.key

2) Set up gitlab docker environment:

3) Set gitlab docker port bindings:

Flytrap answered 4/4, 2016 at 0:8 Comment(3)

this has to be repeated if a package update has been installed :/ – Flytrap 7/5, 2016 at 7:41

Nowadays you should generate the certs folder at: /volume1/docker/gitlab/gitlab/certs (notice the double /gitlab/) – Wellnigh 26/7, 2020 at 11:21

I confirm this solution is the most efficient. Nevertheless, as mentionned @Jouke, the certs/ directory should be into /volume1/docker/gitlab/gitlab/. Also : The gitlab service must be off to be edited, and be restarted only when everything is ready. – Transmontane 12/7, 2022 at 8:14

On DSM 6.2.1

I just did the installation of this and some of the answers here helped me but i still ran into problems. So i thought to share my findings:

I wanted to use the lets-encrypt certs i already had generated inside Synology DSM.

Create a task scheduler (user defined script)

cp /usr/syno/etc/certificate/system/default/privkey.pem  /volume1/docker/gitlab-ce/gitlab/certs/gitlab.key
cp /usr/syno/etc/certificate/system/default/fullchain.pem /volume1/docker/gitlab-ce/gitlab/certs/gitlab.crt

adjust to your chosen name/folder when installing gitlab (in my case "gitlab-ce")

Create a dhparam.pem file on any machine with open ssl
```
openssl dhparam -out dhparam.pem 2048
```
I advice not to do this on a NAS, because it will be slow (you may increase key complexity to which ever you have patients for waiting)
Copy the dhparam.pm to your certificats folder location inside gitlab
```
/volume1/docker/gitlab-ce/gitlab/certs/
```
adjust to your chosen name/folder when installing gitlab (in my case "gitlab-ce")
Stop gitlab in package center (stops all tree docker containers)
On the synology_gitlab container

5.1 Add the two environment variables
```
GITLAB_HTTPS=true  
SSL_SELF_SIGNED=false
```
5.2. Change gitlab port binding (container port) from 80 to 443

This approach will automatically at a set time (your choice in the user defined script) update you generated ssl certificate if the Synology DSM (or you manually) creates a new one. This is however not an instant update, but you can trigger it manually from the task scheduler interface. Still this approach is kind of care free for personal NAS solutions.

Jacquijacquie answered 20/3, 2019 at 16:20 Comment(1)

footnote: be aware that gitlab is only picking up the new certificate when you restart gitlab from the package manager. – Jacquijacquie 3/5, 2019 at 6:14

The instructions Crami gave work for me with the package install (sameersbn/gitlab:7.9.3). You must:

Follow the command line instructions from Crami to generate the certificate:

mkdir /volume1/docker/gitlab/certs
cd /volume1/docker/gitlab/certs
openssl genrsa -out gitlab.key 2048
openssl req -new -key gitlab.key -out gitlab.csr
openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
openssl dhparam -out dhparam.pem 2048
chmod 400 gitlab.key

Stop the package in the Package Center
Edit the configuration file at /usr/syno/etc/packages/Docker/synology_gitlab.config. It's a JSON file rather than command line, but is easy to see what to change/add. You need to add:
```
{
   "key" : "GITLAB_HTTPS",
   "value" : "true"
},
{
   "key" : "SSL_SELF_SIGNED",
   "value" : "true"
},
```
as well as the port binding from 80 instead to 443 in the same file:
```
{
   "container_port" : 443,
   "host_port" : 30000,
   "type" : "tcp"
},
```
Start the package in Package Center

Eta answered 3/9, 2015 at 22:49 Comment(1)

Something I've noticed about this method (editing the config) is that it gets blown away every time I restart the package in the Package Center (i.e., restart the container, really). Looking over in ../Docker-GitLab/config, I see environment variables, however changing those seems to do nothing at all when re-starting the image. – Rotgut 24/2, 2016 at 16:32

I used @helt solution but looking at the docker info page (https://hub.docker.com/r/sameersbn/gitlab/#ssl), I seen that the certs folder is at "docker/gitlab/gitlab/certs/"...

For the @helt solution, I updated this:

mkdir /volume1/docker/gitlab/gitlab/certs
cd /volume1/docker/gitlab/gitlab/certs
openssl genrsa -out gitlab.key 2048
openssl req -new -key gitlab.key -out gitlab.csr
openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
openssl dhparam -out dhparam.pem 2048
chmod 400 gitlab.key

When I used only "/volume1/docker/gitlab/certs", when accessing the GitLab page, I had an error page with "PR_END_OF_FILE_ERROR", after using "/volume1/docker/gitlab/gitlab/certs", error disappeared and everything works fine...

My Synology station is a DS718+ running DSM 6.2.2-24922 Update 3.

Styx answered 24/10, 2019 at 15:34 Comment(0)

You haven't indicated which gitlab image you're using:

https://registry.hub.docker.com/search?q=gitlab

The most common container image already has instructions included with details on how to enable SSL:

https://registry.hub.docker.com/u/sameersbn/gitlab/

Tortious answered 4/8, 2015 at 1:23 Comment(2)

I use the Synology Package for GitLab which lives in a Docker Conatiner. In the Docker control panel it says the image is sameersbn/gitlab:7.9.3 – Coaxial 4/8, 2015 at 9:37

I will have a look at that instructions. Looks doable on the first sight. – Coaxial 4/8, 2015 at 10:42

I managed to create a new docker container on the NAS with all working like i want it.

you have to create the ssl certificates like in the description of the gitlab package like this:

mkdir /volume1/docker/gitlab/certs
cd /volume1/docker/gitlab/certs
openssl genrsa -out gitlab.key 2048
openssl req -new -key gitlab.key -out gitlab.csr
openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
openssl dhparam -out dhparam.pem 2048
chmod 400 gitlab.key

and then remove and recreate the container:

docker rm synology_gitlab    

docker run --name synology_gitlab -d --link synology_gitlab_redis:redisio \
  --publish 30001:22 --publish 30080:80 --publish 30000:443 \
  --env "GITLAB_HTTPS=true" --env "SSL_SELF_SIGNED=true" \
  --env "GITLAB_HOST=nas.freestone.net" \
  --env "GITLAB_PORT=30000" \
  --env "GITLAB_SSH_PORT=30001" \
  --env "[email protected]" \
  --env "DB_TYPE=mysql" \
  --env "DB_HOST=172.17.42.1" \
  --env "DB_NAME=gitlab" \
  --env "DB_USER=gitlab" \
  --env "DB_PASS=yourdbpassword" \
  --env "SMTP_ENABLED=true" \
  --env "SMTP_DOMAIN=mailserver.example.com" \
  --env "SMTP_HOST=mailserver.example.com" \
  --env "SMTP_PORT=587" \
  --env "[email protected]" \
  --env "SMTP_PASS=mailpassword" \
  --env "SMTP_OPENSSL_VERIFY_MODE=none" \
  --volume /volume1/docker/gitlab/:/home/git/data \
  sameersbn/gitlab:7.9.3

Then you should be up and running again. Port 30000 is now https and no longer http.

Coaxial answered 4/8, 2015 at 16:9 Comment(2)

You may also use the latest version of gitlab and redis, as long as you have installed the Syno package first and then stopped it. Synology does something to open up MariaDB to Docker, which is something I cannot figure out how to do on my own... – Bohrer 19/8, 2015 at 0:3

doesn't work for me. the docker container shut down after ~1 minute. and it doesn't even consume any ram. the original container uses about 1GB. and I cannot connect to gitlab anymore after it. – Leticialetisha 1/9, 2015 at 22:5

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags