0

I set up my private Gitlab server. It works fine and when I enter my IP I can access it. I do not have a custom domain and I also do not want one since I don't want to make the server accessible from the outside.

Most of the guides only show how to set up https with Let's Encrypt for which - as far as I can tell - I need to be in control of a domain and configure an A record for it. That's not really an option.

Some rare other guides show me how to create my self signed certificates to use it with GL (using Open ssl). My problem with that is that browsers will still tell me that the connection is insecure and treat self-signed certs as http and not https. So whtat's the sense of doing it in the first place.

So that leaves me with my question: Is there a way to set up https without a custom domain but with a real certificate (best without buying it). Or is that not even possible? If it is possible how could I start to configure my GL intance?

I was thinking maybe using cloudflare could help? I am not sure though.

Thanks very much in advance for help, hints and tipps. Very much appreciated.

Micromegas
  • 231
  • 3
  • 12

1 Answers1

0

This is not possible. A couple of observations -

A self signed cert is not useless. You need to ensure that cert is accepted for your domain by your computers and its quite secure. Alternatively you can go all the way and create your own CA, add your CA cert to your devices and have multiple certs.

A (browser trusted) CA will not let you sign a cert for a domain you don't control - to do that would risk their entire business.

You can have a Domain name for a site not publicly accessible - you may not be able to get a letsencrypt cert for it though, but a paid cert that will use email validation, combined with a valid subdomain you control is possible - even if the underlying IP is not globally reachable.

davidgo
  • 6,222
  • 3
  • 23
  • 41
  • Thanks davidgo! So would you recommend using a self signed cert in this case? (I upvoted, though my rep is not enough) – Micromegas Oct 07 '19 at 08:42
  • It depends on your goals, but yes, that's probably the easiest and cheapest solution. – davidgo Oct 07 '19 at 09:06
  • ok, I'll try it this way then... thanks a bunch, really appreciate it. – Micromegas Oct 07 '19 at 09:50
  • little follow up question though: You are saying that ```You need to ensure that cert is accepted for your domain by your computers and its quite secure```. Still, the browser will always tell me that it is not a trusted cert, correct? – Micromegas Oct 07 '19 at 11:18
  • I imagine it depends on the browser, but the browser **should** be able to remember this key pairing and accept it in future without prompting. (To do otherwise would be bad design). There is a discussion at https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate which may or may not be relevant. – davidgo Oct 07 '19 at 18:29
  • that helps a lot! Thanks again! – Micromegas Oct 08 '19 at 12:41
  • I have another follow up question, maybe someone can help me out: I have configured my private instance now with a self signed ssl. This instance is not accessible from the outside (only via vpn). From a security perspective: I this more secure than opening up the server, adding a domain to it and use a "real" trusted certificate? Or is a private instance without access and with a self signed cert more secure? – Micromegas Oct 10 '19 at 13:10
  • The private instance over VPN is significantly more secure - particularly if you have remembered the cert so it does not pop up a warning each time. ( The only advantage of a third party cert is it prevents a mitm attack - which you can equally do by being vigilient about warnings, and remembering the correct cert. – davidgo Oct 10 '19 at 17:01
  • Great! That's a relief to hear. Thank you again davidgo! – Micromegas Oct 11 '19 at 07:21