Lets Encrypt - Synology NAS + sameersbn/docker-gitlab (HTTPS)

Lets_Encrypt_Synology_Gitlab.MD

Let's Encrypt - Synology NAS + sameersbn/docker-gitlab

Getting HTTPS on a Synology NAS + Gitlab container is a bit tricky. Using self-assigned OpenSSL certificates is great, but it can only provide SSL certificates that inevitably will be flagged as untrusted by the browser due to the common name being unrecognized/not associated with a trusted SSL provider:

The downside will be that every user that remotely accesses your NAS will be greeted with the above message unless they manually add the certificate to their browser's approved SSL provider list. Instead, here's a work-around to enable HTTPS for both your Synology NAS and a Gitlab container using just one Let's Encrypt certification.

For more information regarding the docker-gitlab installation and set up: Synology Docker Gitlab with Redis/Postgres

Click here to expand an up-to-date (as of Aug. 5th, 2019) example docker-compose.yml that I'm using -- replace (( example )) with your information

version: '2'
services:
redis:
restart: always
image: sameersbn/redis:4.0.9-2
container_name: gitlab-redis
command:
- --loglevel warning
volumes:
- /volume1/docker/personal/gitlab/redis:/var/lib/redis
postgresql:
restart: always
image: sameersbn/postgresql:10-2
container_name: gitlab-postgresql
volumes:
- /volume1/docker/personal/gitlab/postgresql:/var/lib/postgresql
environment:
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlabhq_production
- DB_EXTENSION=pg_trgm
gitlab:
image: sameersbn/gitlab:12.0.4
container_name: gitlab
links:
- redis
- postgresql
ports:
- "8080:80"
- "8022:22"
- "8443:443"
volumes:
- /volume1/docker/personal/gitlab/gitlab/config:/etc/gitlab
- /volume1/docker/personal/gitlab/gitlab/logs:/var/log/gitlab
- /volume1/docker/personal/gitlab/gitlab/data:/home/git/data
- /volume1/docker/personal/gitlab/gitlab/opt:/var/opt/gitlab
environment:
- DEBUG=false
- DB_ADAPTER=postgresql
- DB_HOST=postgresql
- DB_PORT=5432
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlabhq_production
- REDIS_HOST=redis
- REDIS_PORT=6379
- GITLAB_HTTPS=true
- SSL_SELF_SIGNED=true
- GITLAB_HOST=(( SUBDOMAIN.DOMAIN.COM -- ex. loki.xinit.se ))
- GITLAB_PORT=8443
- GITLAB_SSH_PORT=8022
- GITLAB_SECRETS_DB_KEY_BASE=(( 70 CHARACTER ALPHANUMERIC STRING ))
- GITLAB_SECRETS_SECRET_KEY_BASE=(( 70 CHARACTER ALPHANUMERIC STRING ))
- GITLAB_SECRETS_OTP_KEY_BASE=(( 70 CHARACTER ALPHANUMERIC STRING ))
- GITLAB_ROOT_PASSWORD=(( YOUR PASSWORD FOR GITLAB SIGN IN ))
- GITLAB_ROOT_EMAIL=(( YOUR EMAIL FOR GITLAB SIGN IN ))
- GITLAB_EMAIL=[email protected]
- GITLAB_EMAIL_REPLY_TO=[email protected]
- GITLAB_INCOMING_EMAIL_ADDRESS=[email protected]
- SMTP_ENABLED=false
- SMTP_DOMAIN=www.example.com
- SMTP_HOST=smtp.gmail.com
- SMTP_PORT=587
- SMTP_USER=[email protected]
- SMTP_PASS=password
- SMTP_STARTTLS=true
- SMTP_AUTHENTICATION=login
- IMAP_ENABLED=false
- IMAP_HOST=imap.gmail.com
- IMAP_PORT=993
- IMAP_USER=[email protected]
- IMAP_PASS=password
- IMAP_SSL=true
- IMAP_STARTTLS=false

---

Quick Links

• 1. Setting up DDNS
• 2. Port Forwarding
• 3. Testing DDNS
• 4/5. Generating A Lets Encrypt Certificate
• 6. Redirecting HTTP to HTTPS
• 7. SSHing into Your Synology NAS
• 8. Creating a Gitlab certs folder
• 9. Viewing Synology Generated Certifications
• 10. Copying Certifications to Gitlab certs Folder
  • Option 1: SCPing file to Synology NAS
  • Option 2: SFTPing file to Synology NAS
• 11. Updating your docker-compose.yml
• 12/13. Restarting Gitlab
• 14. Results
• NOTES

---

Setting up DDNS

1.) You'll need to set up a DDNS (you can use a free service like FreeDNS). The DDNS is a subdomain.domain.com that points to your dynamic IP address that is provided by your ISP (unless you want to spend $$ buying/setting up a static IP from your ISP, then do that instead).

Let's say you signed up and registered this subdomain on freeDNS: loki.xinit.se (loki is the subdomain that you specify and xinit.se is the public/free domain that provides the A name record). In laymans terms: loki.xinit.se = your dynamic IP (to see your current dynamic IPv4 address, go here: What Is My IP Address).

Note: You can also set up a DDNS on your Synology NAS. Go to Control Panel > External Access > Tab: "DDNS" > Click Button: "Add" > Service Provider: FreeDNS, Hostname: subdomain.domain.com (loki.xinit.se), FreeDNS Username and Password > Click OK

Port Forwarding

2.) Once you've set up a DDNS, you'll want to go to your router settings and find the port forward option. You'll want to forward the following ports:

5000-5001 TCP only (required for Synology DSM HTTP/HTTPS)
80 TCP only (required for Lets Encrypt)
443 TCP only (required for Lets Encrypt)
8022 TCP only (required for Gitlab SSH)
8443 TCP only (required for Gitlab WEB GUI)

To test if the ports have been forwarded, use this website: Can You See Me. Test all ports listed above. If they all register as open, continue to step 3. If not, then the following steps WILL NOT WORK.

Testing DDNS

3.) To test if your DDNS is working, go to your:

http://subdomain.domain.com:5000 -- ex: http://loki.xinit.se:5000

If this brings up the Synology NAS login, then continue on to step 4.

Generating A Lets Encrypt Certificate

4.) Log in to your Synology NAS. Go to Control Panel > Advanced Mode > Security

Tab: "Certificate" > Click Button: "Add"

Select Option: "Add a new certificate" > Click next

Select Option: "Get a certificate from Let's Encrypt" > Select Option: "Set as default certificate" > Click next

For the following screen, the Domain name will be the registered DDNS: subdomain.domain.com (ex: loki.xinit.se -- do NOT include the http(s) nor port); provide a valid email address and then leave the alternative domain empty > Click apply

If you get an error about maximum certificates, then you'll need to chose another domain. If you get any other errors, you may need to log out/log in to your NAS and try again (this feature seems a bit buggy, so it may take a few attempts).

5.) If all goes well, you'll see a new certificate listed under the "Certificate" tab. Click on the certificate to select it, then click Configure. Make sure that the System default is using this certificate.

Redirecting HTTP to HTTPS

6.) Go to Control Panel > Network > Tab: "DSM Settings" > Select Option: "Automatically redirect HTTP connections to HTTPS" > Click apply.

The web service should restart, then once completed should redirect you to:

https://subdomain.domain.com:5001 -- ex: https://loki.xinit.se:5001

Your browser URL bar should now show:

SSHing into Your Synology NAS

7.) Go to Control Panel > User > Select User: admin > Click Button: "Edit" > Enable this account and set up a password > Click apply.

From your main computer, open a terminal and SSH into the Synology NAS (replace synology_ip_address with your Synology NAS IP):

ssh admin@synology_ip_address -- ex: ssh [email protected]

Provide the admin's password.

Now, type the following command to become root:

sudo -s

Then type the admin password once again.

Creating a Gitlab certs folder

8.) Make a directory called certs inside of the gitlab data folder. For example (very important that this folder is inside the gitlab data folder!):

mkdir -p /volume1/docker/personal/gitlab/gitlab/data/certs

Then, change the folder ownership:

chown -R 1000:1000 /volume1/docker/personal/gitlab/gitlab/data/certs

Viewing Synology Generated Certifications

9.) Next, type the following to view any certs associated with your Synology NAS:

cd /usr/syno/etc/certificate/_archive/

Then, type:

ls

You'll see several folders: DEFAULT, INFO and a random alphanumeric string folder (for example: 0rOTRe).

CD into this directory, for example:

cd 0rOTRe

Once again, type:

ls

You'll see several files:

cert.pem  chain.pem  fullchain.pem  privkey.pem  renew.json

Copying Certifications to Gitlab certs Folder

10.) Use the commands below to copy the Let's Encrypt files into your gitlab's certs directory. For example, these commands will generate/copy all the necessary cert files from the source and into the gitlab data certs folder (see note below before running the last command):

cat privkey.pem > /volume1/docker/personal/gitlab/gitlab/data/certs/gitlab.key
cat cert.pem fullchain.pem > /volume1/docker/personal/gitlab/gitlab/data/certs/gitlab.crt
cp cert.pem /volume1/docker/personal/gitlab/gitlab/data/certs
openssl dhparam -out /volume1/docker/personal/gitlab/gitlab/data/certs/dhparam.pem 2048

⚠️ NOTE: The last command openssl dhparam -out dhparam.pem 2048 will take several hours to complete if you run it from the NAS. You can mitigate this by running it on your main computer, which should take about 30 seconds to several minutes, then you can SCP/SFTP the file to the gitlab data certs folder.

On your computer, open a terminal and cd to any non-root folder (like ~/Documents) and then run this command to generate a dhparam.pem:

openssl dhparam -out dhparam.pem 2048

Option 1: SCPing file to Synology NAS

For SCP, open a terminal at the main directory (like ~/Documents) on your computer containing the generated dhparam.pem file and type the following command (change the "synology_ip_address" below to your Synology NAS IP, and input your NAS's admin password when asked):

scp dhparam.pem admin@synology_ip_address:/volume1/docker/personal/gitlab/gitlab/data/certs 

Option 2: SFTPing file to Synology NAS

For SFTP, use Filezilla. To SFTP into the NAS, you'll need to make sure SFTP is enabled: Control Panel > File Services > Tab: "FTP" > Select: Enable SFTP service > Port: 22 > Click apply

Next, to setup Filezilla: Site Manager > Host: synology_ip_address (ex: 192.168.1.55) > Port: 22 > Protocol: SFTP - SSH > Logon Type: Normal > User: admin > Password: admin_password > Click OK

Then connect via "Site Manager" dropdown (located underneath "File"). Once connected, navigate to: /volume1/docker/personal/gitlab/gitlab/data/certs and drag and drop the generated dhparam.pem into the certs folder

Updating your docker-compose.yml

11.) Next, update your /volume1/docker/personal/gitlab/docker-compose.yml file like so:

- GITLAB_HTTPS=true
- SSL_SELF_SIGNED=true

- GITLAB_HOST=subdomain.domain.com (loki.xinit.se)
- GITLAB_PORT=8443

Restarting Gitlab

12.) Now cd to /volume1/docker/personal/gitlab/docker-compose.yml and run this command to rebuild gitlab:

docker-compose restart gitlab

After about 3-5 minutes, go to:

https://subdomain.domain.com:8443 (https://loki.xinit.se:8443)

13.) If everything was done properly, and without errors, the Synology NAS and Gitlab's WEB GUI should be secured under the same Let's Encrypt certification, as well as be remotely accessible via DDNS (subdomain.domain.com:port).

⚠️ Note: Don't foget to exit the SSH terminal (type exit then hit enter, then exit one more time and hit enter again to close the SSH connection), and lastly, disable the Synology admin account from your NAS's users list.

Results

14.) Results (both NAS and Gitlab secured by one cert):

NOTES:

• Gitlab SSH can work both ways:
  • Via local Synology IP: ssh://git@synology_ip_address:8022/root/name_of_project.git
  • Via remote DDNS: ssh://[email protected]:8022/root/name_of_project.git
• In 3 months, your SSL certification will expire, meaning you'll have to repeat step 10, but instead you'll just regenerate 2 new certs (gitlab.key and gitlab.crt) from the /usr/syno/etc/certificate/_archive/ folder to your /volume1/docker/personal/gitlab/gitlab/data/certs, and then manually restart the gitlab container.

I'm in the process of building a validate SSL certs script that aims to automate the certificate renewal process, so stay tuned.

Thank you for your Doc.
but, I have a problem.
" 11.) Next, update your /volume1/docker/personal/gitlab/docker-compose.yml file like so: "
I can't find "docker-compose.yml" in my Synology.

You have to create it. I included an example of my docker-compose.yml in the gist above (it's right above the Quick Links).

Click on the Click here to expand an up-to-date (as of Aug. 5th, 2019) example docker-compose.yml that I'm using -- replace (( example )) with your information to view my configuration.

If you're unsure where to put the file, it goes here:

├── volume1
│   └── docker
│       └── personal
│           ├── gitlab
│           ├── postgresql
│           ├── redis
│           ├── gitlab
│           │   ├── data
│           │   ├── config
│           │   ├── logs
│           │   └── opt
│           └── docker-compose.yml

Hi Matt,

Thanks for sharing the tips. I just renewed my letsencrypt certificate via DSM>Control Panel>Security>Certificate>renew.

And then I followed your step #9 and #10 (minus regenerating dhparam.pem), and restarted my container.

But then my Firefox keeps showing PR_END_OF_FILE_ERROR.

I looked at gitlab/logs/nginx/gitlab_access.log, and it is empty.

Then, I checked gitlab/logs/gitlab/unicorn.stderr.log

Missing Rails.application.secrets.openid_connect_signing_key for production environment. The secret will be generated and stored in config/secrets.yml.
I, [2019-12-09T10:10:10.703105 #2895]  INFO -- : listening on addr=/home/git/gitlab/tmp/sockets/gitlab.socket fd=17
I, [2019-12-09T10:10:10.703443 #2895]  INFO -- : listening on addr=127.0.0.1:8080 fd=18
I, [2019-12-09T10:10:10.880758 #2895]  INFO -- : master process ready
I, [2019-12-09T10:10:10.953125 #3071]  INFO -- : worker=0 ready
I, [2019-12-09T10:10:10.971401 #3074]  INFO -- : worker=1 ready
I, [2019-12-09T10:10:10.975337 #3077]  INFO -- : worker=2 ready

Then I did step #9 and #10 again with the old pem and crt files. It works.

Seems like something has changed in letsencrypt certificates?

I think that error is because the cat command does not put a newline after the certificate. if you do vi .../gitlab.crt, you can see that at the middle of the file, there is an ------END CERTIFICATE-----------BEGIN CERTIFICATE---------. Those should be on 2 separate lines (with the same number of -at the start of each, so enter the newline at the right place.

as I say that, I'm still not able to get https working with this guide and the synology gitlab package, i get SSL_ERROR_RX_RECORD_TOO_LONG with firefox...

Hello, first off, thank you for this guide, it's been very helpful to try to get this running on my Synology NAS. I'm unfortunately having an issue and I'm not sure how to fix it. The postgresql and redis containers appear to be starting up properly, but the gitlab container runs for about 2 mins then stops on its own.

My docker-compose.yml file looks like this:

version: '2'


services:
  redis:
    restart: always
    image: sameersbn/redis:latest
    container_name: gitlab-redis
    command:
      - --loglevel warning
    volumes:
      - /volume1/docker/personal/gitlab/redis:/var/lib/redis


  postgresql:
    restart: always
    image: sameersbn/postgresql:latest
    container_name: gitlab-postgresql
    volumes:
      - /volume1/docker/personal/gitlab/postgresql:/var/lib/postgresql
    environment:
      - DB_USER=gitlab
      - DB_PASS=password
      - DB_NAME=gitlabhq_production
      - DB_EXTENSION=pg_trgm


  gitlab:
    image: sameersbn/gitlab:latest
    container_name: gitlab
    links:
      - redis
      - postgresql
    ports:
      - "8080:80"
      - "8022:22"
      - "8443:443"
    volumes:
      - /volume1/docker/personal/gitlab/gitlab/config:/etc/gitlab
      - /volume1/docker/personal/gitlab/gitlab/logs:/var/log/gitlab
      - /volume1/docker/personal/gitlab/gitlab/data:/home/git/data
      - /volume1/docker/personal/gitlab/gitlab/opt:/var/opt/gitlab
    environment:
      - DEBUG=false

      - DB_ADAPTER=postgresql
      - DB_HOST=postgresql
      - DB_PORT=5432
      - DB_USER=gitlab
      - DB_PASS=password
      - DB_NAME=gitlabhq_production
      
      - REDIS_HOST=redis
      - REDIS_PORT=6379

      - TZ=America/New_York
      - GITLAB_TIMEZONE=America/New_York
      
      - GITLAB_HTTPS=true
      - SSL_SELF_SIGNED=true

      - GITLAB_HOST={{{SECRET}}}
      - GITLAB_PORT=8443
      - GITLAB_SSH_PORT=8022
      - GITLAB_SECRETS_DB_KEY_BASE={{{SECRET}}}
      - GITLAB_SECRETS_SECRET_KEY_BASE={{{SECRET}}}
      - GITLAB_SECRETS_OTP_KEY_BASE={{{SECRET}}}
      
      - GITLAB_ROOT_PASSWORD={{{SECRET}}}
      - GITLAB_ROOT_EMAIL={{{SECRET}}}
      
      - GITLAB_EMAIL={{{SECRET}}}
      - GITLAB_EMAIL_REPLY_TO={{{SECRET}}}
      - GITLAB_INCOMING_EMAIL_ADDRESS={{{SECRET}}}
      
      - SMTP_ENABLED=true
      - SMTP_DOMAIN={{{SECRET}}}
      - SMTP_HOST=smtp.gmail.com
      - SMTP_PORT=587
      - SMTP_USER={{{SECRET}}}
      - SMTP_PASS={{{SECRET}}}
      - SMTP_STARTTLS=true
      - SMTP_AUTHENTICATION=login
      
      - IMAP_ENABLED=false
      - IMAP_HOST=imap.gmail.com
      - IMAP_PORT=993
      - IMAP_USER={{{SECRET}}}
      - IMAP_PASS={{{SECRET}}}
      - IMAP_SSL=true
      - IMAP_STARTTLS=false

The docker logs are showing the following, which leads me to believe the connection to the database is failing:

Loading /etc/docker-gitlab/runtime/env-defaults
Initializing logdir...
Initializing datadir...
Updating CA certificates...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Container TimeZone -> America/New_York
Installing configuration templates...
Configuring gitlab...
Configuring gitlab::database...........................................................

I'm not super familiar with docker, is there a way I can check that the postgresql database is reachable from the gitlab instance?