0

I am hosting Gitlab on digital ocean and I have setup Gitlab to use Apache. When I create a VirtualHost for gitlab I get SSL. It works when VirtualHost is set to <VirtualHost *:80> but then when I change it to my domain I get an error in chrome saying ERR_SSL_PROTOCOL_ERROR. Below is my configuration, I don't understand why it doesn't work. I'm no expert in Apache and this is the configuration that I got on the Gitlab website for Apache. 

<VirtualHost example.com:80>
  ServerName example.com
  ServerSignature Off

  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>

<VirtualHost example.com:443>
  SSLEngine on
  SSLHonorCipherOrder on
  SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
  SSLCompression Off
  SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem

  ServerName example.com
  ServerSignature Off
  ProxyPreserveHost On
  AllowEncodedSlashes NoDecode

  <Location />
    Require all granted
    ProxyPassReverse http://127.0.0.1:8181
    ProxyPassReverse http://example.com
  </Location>

  RewriteEngine on
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
  RewriteCond %{REQUEST_URI} ^/uploads/.*
  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]

  RequestHeader set X_FORWARDED_PROTO 'https'
  RequestHeader set X-Forwarded-Ssl on

  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
</VirtualHost>

I want to set multiple sites up on the same server and I only want to get to my gitlab server with a certain domain, which is why I am setting this up in Apache

declan.marks
  • 1
  • 1
  • 3
  • don't use hostnames in virtualhost directive, use *.443. It will help also if you show the curl output when you make the request. Also should only be used when you use SSLVerifyClient, SSLCertificateFile should have the whole chain of public certificates concantenated from leaf to root. "apachectl -S" could tell you if you are really loading this file or what. In any case there is no real reason while this config would not load SSL, if certificates were wrong httpd would not start, there is an issue you are not showing. – Daniel Ferradal Feb 24 '23 at 19:39

1 Answers1

0

Did you copy your certs to the /etc/gitlab/ssl folder? After that you can run gitlab-ctl reconfigure and then gitlab-ctl restart. I’m not sure if it will work with your setup (apache) but you could try that.

SarsaJP
  • 23
  • 5