# uname -a

The new versions of Gitlab are embedding the Mattermost server. Here is how to setup the certificates for these instances.

1. Install certbot

Read the docs here (choose Nginx on the appropriate system) : certbot.eff.org

2. Make a webroot

mkdir -p /var/www/letsencrypt/.well-known

3. Configure Gitlab and Mattermost to answer /.well-known to this webroot

Edit /etc/gitlab/gitlab.rb and add :

nginx['custom_gitlab_server_config']="location ^~ /.well-known/ {\n alias /var/www/letsencrypt/.well-known/;\n}\n"
mattermost_nginx['custom_gitlab_mattermost_server_config']="location /.well-known/ {\n alias /var/www/letsencrypt/.well-known/;\n}\n"

And reconfigure Gitlab :

gitlab-ctl reconfigure

4. Create the certificates

Run the certbot command :

certbot certonly --staging --webroot --webroot-path=/var/www/letsencrypt/ -d gitlab.your-domain.com
certbot certonly --staging --webroot --webroot-path=/var/www/letsencrypt/ -d mattermost.your-domain.com

5. Tell Gitlab to use the certificates

Edit /etc/gitlab/gitlab.rb again, and add :

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.your-domain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.your-domain.com/privkey.pem"

mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/mattermost.your-domain.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/mattermost.your-domain.com/privkey.pem"

6. Done

Reconfigure Gitlab again :

gitlab-ctl reconfigure