Add Let’s Encrypt SSL Certificate to Nagios 4.x running on CentOS 7

The easiest way to install Let’s Encrypt client by cloning github repository. To install git on your system you must enable Epel repositories with the following command

yum -y install epel-release

Install git client

yum -y install git

Change directory and go to /usr/src

cd /usr/src/

Clone Let’s Encrypt Client from Github

git clone https://github.com/letsencrypt/letsencrypt 
cd /usr/src/letsencrypt

Run letsencrypt-auto script with your domain name

./letsencrypt-auto --apache -d FullyQualifiedDomainName

This Script will download and install all necessary packages.

Answer following questions.

- Enter email address ( Used for urgent renewal and security notices)
- Please read the Terms of Service and Accept it
- Would you be willing to share your email.....
- Select ssl.conf

IMPORTANT NOTES: – Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/ YourFullDomainName/fullchain.pem   Your key file has been saved at:   /etc/letsencrypt/live/YourFullDomainName /privkey.pem   Your cert will expire on 2017-11-12. To obtain a new or tweaked   version of this certificate in the future, simply run   letsencrypt-auto again with the “certonly” option. To   non-interactively renew *all* of your certificates, run   “letsencrypt-auto renew” – Your account credentials have been saved in your Certbot   configuration directory at /etc/letsencrypt. You should make a   secure backup of this folder now. This configuration directory will   also contain certificates and private keys obtained by Certbot so   making regular backups of this folder is ideal.

Certificate has been installed successfully.

Let’s Encrypt certificate is only valid for 90 days. To renew automatically add following line to your corn job.

0 1 12 * * /usr/src/letsencrypt/certbot-auto renew

Install Let’s Encrypt Certificate on Gitlab CentOS 7

Install epel-release. Epel-release provide you an extended set of packages

yum install epel-release -y

Install certbot

yum install certbot -y

Need to create a folder where the Let’s encrypt verification files will be stored

mkdir -p /var/www/public/letsencrypt

We need to configure Gitlab to pass any /.well-known requests to the desired folder.

Edit following file

vi /etc/gitlab/gitlab.rb

Find following Line below web_server[‘home’]

# web_server['home'] = '/var/opt/gitlab/nginx'
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {
    root /var/www/public/letsencrypt;
}"

Reconfigure Gitlab

gitlab-ctl reconfigure

Now ready to request Let’s Encrypt Certificate

Use following command to request certificate

certbot certonly --webroot --webroot-path=/var/www/public/letsencrypt -d git.hostfav.com

You will get following message.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/git.hostfav.com/fullchain.pem. Your cert will
 expire on 2017-10-25. To obtain a new or tweaked version of this
 certificate in the future, simply run certbot again. To
 non-interactively renew *all* of your certificates, run "certbot
 renew"
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

 

Configure GitLab for new Certificate

vi /etc/gitlab/gitlab.rb

Change External URL path

external_url 'https://git.hostfav.com'

Uuncomment this line. Change false to true

nginx['redirect_http_to_https'] = true

Change Certificate and Key files’ path

Find following two lines and uncomment them

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"

Update path

 nginx['ssl_certificate'] = "/etc/letsencrypt/live/git.hostfav.com/fullchain.pem"
 nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/git.hostfav.com/privkey.pem"

Reconfigure GitLab and Apply changes

gitlab-ctl reconfigure

Let’s Encrypt certificate is only valid for 90 days. To renew automatically add following line to your corn job.

0 1 1 * * /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"

This corn job will renew your GitLab Certificate every Month.

This improves the security of both the GitLab Server and the users who use it.