mattcarlotta/Lets_Encrypt_Synology_Gitlab.MD

## Lets_Encrypt_Synology_Gitlab.MD

      
    Raw
  

              Lets_Encrypt_Synology_Gitlab.MD
            
          
    Let's Encrypt - Synology NAS + sameersbn/docker-gitlab

Getting HTTPS on a Synology NAS + Gitlab container is a bit tricky. Using self-assigned OpenSSL certificates is great, but it can only provide SSL certificates that inevitably will be flagged as untrusted by the browser due to the common name being unrecognized/not associated with a trusted SSL provider:

The downside will be that every user that remotely accesses your NAS will be greeted with the above message unless they manually add the certificate to their browser's approved SSL provider list. Instead, here's a work-around to enable HTTPS for both your Synology NAS and a Gitlab container using just one Let's Encrypt certification.
For more information regarding the docker-gitlab installation and set up: Synology Docker Gitlab with Redis/Postgres

Click here to expand an up-to-date (as of Aug. 5th, 2019) example docker-compose.yml that I'm using -- replace (( example )) with your information

version: '2'
services:
redis:
restart: always
image: sameersbn/redis:4.0.9-2
container_name: gitlab-redis
command:
- --loglevel warning
volumes:
- /volume1/docker/personal/gitlab/redis:/var/lib/redis
postgresql:
restart: always
image: sameersbn/postgresql:10-2
container_name: gitlab-postgresql
volumes:
- /volume1/docker/personal/gitlab/postgresql:/var/lib/postgresql
environment:
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlabhq_production
- DB_EXTENSION=pg_trgm
gitlab:
image: sameersbn/gitlab:12.0.4
container_name: gitlab
links:
- redis
- postgresql
ports:
- "8080:80"
- "8022:22"
- "8443:443"
volumes:
- /volume1/docker/personal/gitlab/gitlab/config:/etc/gitlab
- /volume1/docker/personal/gitlab/gitlab/logs:/var/log/gitlab
- /volume1/docker/personal/gitlab/gitlab/data:/home/git/data
- /volume1/docker/personal/gitlab/gitlab/opt:/var/opt/gitlab
environment:
- DEBUG=false
- DB_ADAPTER=postgresql
- DB_HOST=postgresql
- DB_PORT=5432
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlabhq_production
- REDIS_HOST=redis
- REDIS_PORT=6379
- GITLAB_HTTPS=true
- SSL_SELF_SIGNED=true
- GITLAB_HOST=(( SUBDOMAIN.DOMAIN.COM -- ex. loki.xinit.se ))
- GITLAB_PORT=8443
- GITLAB_SSH_PORT=8022
- GITLAB_SECRETS_DB_KEY_BASE=(( 70 CHARACTER ALPHANUMERIC STRING ))
- GITLAB_SECRETS_SECRET_KEY_BASE=(( 70 CHARACTER ALPHANUMERIC STRING ))
- GITLAB_SECRETS_OTP_KEY_BASE=(( 70 CHARACTER ALPHANUMERIC STRING ))
- GITLAB_ROOT_PASSWORD=(( YOUR PASSWORD FOR GITLAB SIGN IN ))
- GITLAB_ROOT_EMAIL=(( YOUR EMAIL FOR GITLAB SIGN IN ))
- GITLAB_EMAIL=noreply@domain.com
- GITLAB_EMAIL_REPLY_TO=noreply@domain.com
- GITLAB_INCOMING_EMAIL_ADDRESS=reply@domain.com
- SMTP_ENABLED=false
- SMTP_DOMAIN=www.example.com
- SMTP_HOST=smtp.gmail.com
- SMTP_PORT=587
- SMTP_USER=mailer@example.com
- SMTP_PASS=password
- SMTP_STARTTLS=true
- SMTP_AUTHENTICATION=login
- IMAP_ENABLED=false
- IMAP_HOST=imap.gmail.com
- IMAP_PORT=993
- IMAP_USER=mailer@example.com
- IMAP_PASS=password
- IMAP_SSL=true
- IMAP_STARTTLS=false


Quick Links


1. Setting up DDNS
2. Port Forwarding
3. Testing DDNS
4/5. Generating A Lets Encrypt Certificate
6. Redirecting HTTP to HTTPS
7. SSHing into Your Synology NAS
8. Creating a Gitlab certs folder
9. Viewing Synology Generated Certifications
10. Copying Certifications to Gitlab certs Folder

Option 1: SCPing file to Synology NAS
Option 2: SFTPing file to Synology NAS


11. Updating your docker-compose.yml 
12/13. Restarting Gitlab
14. Results
NOTES


Setting up DDNS

1.) You'll need to set up a DDNS (you can use a free service like FreeDNS). The DDNS is a subdomain.domain.com that points to your dynamic IP address that is provided by your ISP (unless you want to spend $$ buying/setting up a static IP from your ISP, then do that instead).
Let's say you signed up and registered this subdomain on freeDNS: loki.xinit.se (loki is the subdomain that you specify and xinit.se is the public/free domain that provides the A name record). In laymans terms: loki.xinit.se = your dynamic IP (to see your current dynamic IPv4 address, go here: What Is My IP Address).
Note: You can also set up a DDNS on your Synology NAS. Go to Control Panel > External Access > Tab: "DDNS" > Click Button: "Add" > Service Provider: FreeDNS, Hostname: subdomain.domain.com (loki.xinit.se), FreeDNS Username and Password > Click OK

Port Forwarding

2.) Once you've set up a DDNS, you'll want to go to your router settings and find the port forward option. You'll want to forward the following ports:
5000-5001 TCP only (required for Synology DSM HTTP/HTTPS)
80 TCP only (required for Lets Encrypt)
443 TCP only (required for Lets Encrypt)
8022 TCP only (required for Gitlab SSH)
8443 TCP only (required for Gitlab WEB GUI)

To test if the ports have been forwarded, use this website:  Can You See Me. Test all ports listed above. If they all register as open, continue to step 3. If not, then the following steps WILL NOT WORK.
Testing DDNS

3.) To test if your DDNS is working, go to your:
http://subdomain.domain.com:5000 -- ex: http://loki.xinit.se:5000

If this brings up the Synology NAS login, then continue on to step 4.
Generating A Lets Encrypt Certificate

4.) Log in to your Synology NAS. Go to Control Panel > Advanced Mode > Security

Tab: "Certificate" > Click Button: "Add"

Select Option: "Add a new certificate" > Click next

Select Option: "Get a certificate from Let's Encrypt" > Select Option: "Set as default certificate" > Click next

For the following screen, the Domain name will be the registered DDNS: subdomain.domain.com (ex: loki.xinit.se -- do NOT include the http(s) nor port); provide a valid email address and then leave the alternative domain empty > Click apply

If you get an error about maximum certificates, then you'll need to chose another domain. If you get any other errors, you may need to log out/log in to your NAS and try again (this feature seems a bit buggy, so it may take a few attempts).
5.) If all goes well, you'll see a new certificate listed under the "Certificate" tab. Click on the certificate to select it, then click Configure. Make sure that the System default is using this certificate.


Redirecting HTTP to HTTPS

6.) Go to Control Panel > Network > Tab: "DSM Settings" > Select Option: "Automatically redirect HTTP connections to HTTPS" > Click apply.

The web service should restart, then once completed should redirect you to:
https://subdomain.domain.com:5001 -- ex: https://loki.xinit.se:5001

Your browser URL bar should now show:

SSHing into Your Synology NAS

7.) Go to Control Panel > User > Select User: admin > Click Button: "Edit" > Enable this account and set up a password > Click apply.

From your main computer, open a terminal and SSH into the Synology NAS (replace synology_ip_address with your Synology NAS IP):
ssh admin@synology_ip_address -- ex: ssh admin@192.168.1.55

Provide the admin's password.
Now, type the following command to become root:
sudo -s

Then type the admin password once again.
Creating a Gitlab certs folder

8.) Make a directory called certs inside of the gitlab data folder. For example (very important that this folder is inside the gitlab data folder!):
mkdir -p /volume1/docker/personal/gitlab/gitlab/data/certs

Then, change the folder ownership:
chown -R 1000:1000 /volume1/docker/personal/gitlab/gitlab/data/certs

Viewing Synology Generated Certifications

9.) Next, type the following to view any certs associated with your Synology NAS:
cd /usr/syno/etc/certificate/_archive/

Then, type:
ls

You'll see several folders: DEFAULT, INFO and a random alphanumeric string folder (for example: 0rOTRe).
CD into this directory, for example:
cd 0rOTRe

Once again, type:
ls

You'll see several files:
cert.pem  chain.pem  fullchain.pem  privkey.pem  renew.json

Copying Certifications to Gitlab certs Folder

10.) Use the commands below to copy the Let's Encrypt files into your gitlab's certs directory. For example, these commands will generate/copy all the necessary cert files from the source and into the gitlab data certs folder (see note below before running the last command):
cat privkey.pem > /volume1/docker/personal/gitlab/gitlab/data/certs/gitlab.key
cat cert.pem fullchain.pem > /volume1/docker/personal/gitlab/gitlab/data/certs/gitlab.crt
cp cert.pem /volume1/docker/personal/gitlab/gitlab/data/certs
openssl dhparam -out /volume1/docker/personal/gitlab/gitlab/data/certs/dhparam.pem 2048

⚠️ NOTE: The last command openssl dhparam -out dhparam.pem 2048 will take several hours to complete if you run it from the NAS. You can mitigate this by running it on your main computer, which should take about 30 seconds to several minutes, then you can SCP/SFTP the file to the gitlab data certs folder.
On your computer, open a terminal and cd to any non-root folder (like ~/Documents) and then run this command to generate a dhparam.pem:
openssl dhparam -out dhparam.pem 2048


Option 1: SCPing file to Synology NAS

For SCP, open a terminal at the main directory (like ~/Documents) on your computer containing the generated dhparam.pem file and type the following command (change the "synology_ip_address" below to your Synology NAS IP, and input your NAS's admin password when asked):
scp dhparam.pem admin@synology_ip_address:/volume1/docker/personal/gitlab/gitlab/data/certs 


Option 2: SFTPing file to Synology NAS

For SFTP, use Filezilla. To SFTP into the NAS, you'll need to make sure SFTP is enabled: Control Panel > File Services > Tab: "FTP" > Select: Enable SFTP service > Port: 22 > Click apply

Next, to setup Filezilla: Site Manager > Host: synology_ip_address (ex: 192.168.1.55) > Port: 22 > Protocol: SFTP - SSH > Logon Type: Normal > User: admin > Password: admin_password > Click OK

Then connect via "Site Manager" dropdown (located underneath "File"). Once connected, navigate to: /volume1/docker/personal/gitlab/gitlab/data/certs and drag and drop the generated dhparam.pem into the certs folder

Updating your docker-compose.yml

11.) Next, update your /volume1/docker/personal/gitlab/docker-compose.yml file like so:
- GITLAB_HTTPS=true
- SSL_SELF_SIGNED=true

- GITLAB_HOST=subdomain.domain.com (loki.xinit.se)
- GITLAB_PORT=8443

Restarting Gitlab

12.) Now cd to /volume1/docker/personal/gitlab/docker-compose.yml and run this command to rebuild gitlab:
docker-compose restart gitlab

After about 3-5 minutes, go to:
https://subdomain.domain.com:8443 (https://loki.xinit.se:8443)

13.) If everything was done properly, and without errors, the Synology NAS and Gitlab's WEB GUI should be secured under the same Let's Encrypt certification, as well as be remotely accessible via DDNS (subdomain.domain.com:port).
⚠️ Note: Don't foget to exit the SSH terminal (type exit then hit enter, then exit one more time and hit enter again to close the SSH connection), and lastly, disable the Synology admin account from your NAS's users list.
Results

14.) Results (both NAS and Gitlab secured by one cert):


NOTES:


Gitlab SSH can work both ways:

Via local Synology IP: ssh://git@synology_ip_address:8022/root/name_of_project.git
Via remote DDNS: ssh://git@subdomain.domain.com:8022/root/name_of_project.git


In 3 months, your SSL certification will expire, meaning you'll have to repeat step 10, but instead you'll just regenerate 2 new certs (gitlab.key and gitlab.crt) from the /usr/syno/etc/certificate/_archive/ folder to your /volume1/docker/personal/gitlab/gitlab/data/certs, and then manually restart the gitlab container.

I'm in the process of building a validate SSL certs script that aims to automate the certificate renewal process, so stay tuned.