GitLab SSL Certificate Renewal – Step-by-Step Guide

-

Overview

SSL certificate renewal for GitLab requires careful planning to avoid service disruption. This guide explains the end-to-end process for renewing GitLab SSL certificates across both Application and Database servers, including backup, CSR generation, certificate replacement, service restart, and verification.

This procedure ensures:

  • Secure HTTPS access
  • Zero data loss
  • Safe rollback using snapshots
  • Compliance with enterprise certificate standards

Environment Overview

Component

Description

GitLab Application Server

Hosts GitLab UI & services

GitLab Database Server

Hosts PostgreSQL

Access Method

CyberArk SSH

Certificate Type

Custom Root + Intermediate + Signed Certificate

 

High-Level Flow Diagram



Phase 1: Backup & CSR Preparation

Step 1: Take VM Snapshots

  • GitLab Application Server
  • GitLab Database Server

Ensures rollback safety in case of failure.

 Step 2: Login to GitLab Application Server

Access the server using CyberArk SSH.

 Step 3: Create CSR Directory (Application Server)

mkdir /root/certs/newcsr

cd /root/certs/newcsr

 Step 4: Generate CSR (Application Server)

openssl req -new -key gitlabappfqdn.key \

-config /root/certs/req.conf \

-out gitlabappfqdn.csr

Passphrase: XXXXXX

 Step 5–7: Repeat CSR Generation on Database Server

mkdir /root/certs/newcsr

cd /root/certs/newcsr

 

openssl req -new -key gitlabappfqdn.key \

-config /root/certs/req.conf \

-out gitlabappfqdn.csr

 

Phase 2: Remove Passphrase from Private Key

Step 8: Application Server

openssl rsa -in gitlabappfqdn.key -out gitlabappfqdn_nopasswd.key

mv gitlabappfqdn_nopasswd.key gitlabappfqdn.key

 Step 9: Database Server

openssl rsa -in gitlabappfqdn.key -out gitlabappfqdn_nopasswd.key

mv gitlabappfqdn_nopasswd.key gitlabappfqdn.key

 Step 10: Copy Signed Certificates

Copy the signed .crt and .key files to:

/root/certs/newcsr

(On both servers)

 Step 11: Verify Certificate Expiry

openssl x509 -in /root/certs/newcsr/gitlabappfqdn.crt -noout -dates

 Step 12: Copy DB Certificate to Application Server

scp gitlabappfqdn.crt app-server:/tmp/

 

Phase 3: Actual Certificate Renewal

Step 1–2: Pre-Checks

  • Snapshots confirmed
  • Root, Intermediate & Signed certificates available in:
  • /root/certs/newcsr

 Step 3: Archive Old CSR & Keys (Both Servers)

mv gitlabappfqdn.csr /root/certs/archive/2024/gitlabappfqdn.csr_old

mv gitlabappfqdn.key /root/certs/archive/2024/gitlabappfqdn.key_old

 Step 5: Archive Old Certificates

Application Server

mv /etc/gitlab/ssl/gitlabappfqdn.crt /root/certs/archive/2024/gitlabappfqdn.crt_old

Database Server

mv /var/opt/gitlab/postgresql/data/gitlabappfqdn.crt \

/root/certs/archive/2024/gitlabappfqdn.crt_old

 

Phase 4: Deploy New Certificates

Step 7: Application Server

cp /root/certs/newcsr/gitlabappfqdn.crt /etc/gitlab/ssl/

 Step 8: Database Server

cp /root/certs/newcsr/gitlabappfqdn.crt \

/var/opt/gitlab/postgresql/data/

 Step 9: Update Trusted Certificates

cp /etc/gitlab/ssl/gitlabappfqdn.crt /etc/gitlab/trusted-certs/

cp /tmp/gitlabappfqdn.crt /etc/gitlab/trusted-certs/

 

Phase 5: Reconfigure & Restart Services

Run on both servers:

gitlab-ctl reconfigure

gitlab-ctl restart

 Phase 6: Verification

 Application Validation

  • GitLab UI accessible
  • No service errors

 Certificate Validation

  1. Open GitLab URL (HTTPS)
  2. Click padlock
  3. View certificate details
  4. Confirm new expiry date

 

 Key Takeaways

Safe rollback using snapshots
Secure CSR handling
Proper certificate archival
Zero-downtime best practices
Enterprise-grade compliance

 

Conclusion

This structured GitLab certificate renewal process ensures security, stability, and audit readiness. Following this guide minimizes risk and guarantees smooth certificate rotation across both application and database layers.

Comments

Post a Comment

Popular posts from this blog

Creating Snapshots for Unmanaged VMs in Aria Automation (vRealize Automation)

-
Image
 In multi-tenant environments powered by Aria Automation (vRealize Automation) , it's common for tenants to occasionally request snapshots for unmanaged virtual machines (VMs) . These unmanaged VMs exist in vCenter but are not provisioned through vRA and therefore fall outside the standard automation lifecycle. To address this need without impacting the broader environment or other tenants, we implemented a dedicated catalog item that allows tenants to safely request snapshots for their unmanaged VMs— securely, in isolation, and with auditability . Here’s how we approached this solution using a custom workflow and catalog configuration in Aria Automation. The Challenge Tenants may operate legacy or externally imported VMs that are not managed via vRA’s provisioning engine. Creating snapshots for these VMs traditionally requires manual intervention from infrastructure teams, which: Increases support overhead Introduces potential human errors Offers ...
Read more

Bulk import security policies into Palo Alto Networks firewalls

-
Image
To bulk import security policies into Palo Alto Networks firewalls, you'll typically need to leverage the Palo Alto API or CLI with a script. I am using an Excel file (XLS), IP address validation, and mapping source and destination zones, for comprehensive solution to automate the process. 1. Input from XLSX File : You will first need to read the data from the XLS file. 2. Check for Existing Rules : Before creating new rules, you should check if similar rules already exist on the firewall. This could be done by comparing the rule names, source, and destination IPs, and zones. 3. Mapping Source Zone and Destination Zone : Ensure that the source and destination zones are correctly mapped according to your firewall configuration. 4. IP Address Validation : Before adding a rule, you'll need to validate that the IP addresses specified in the file are valid 📝  Flow Diagram  (Text Representation) Further Automation If you need enhancements or additional automation features , fee...
Read more

Automating Tag Creation & Assignment to VMs with vRA + vRO

-
Image
  Use Case Summary A user provisions a VM from vRA. Once the VM is deployed in vCenter , a vRO workflow is triggered via Event Broker subscription. The workflow: Checks if the Tag exists (using REST API to NSX-T). If not found, creates the Tag under the correct category. Assigns the Tag to the newly provisioned VM. This eliminates the need for manual intervention and ensures every VM is tagged correctly for policies, automation, and visibility . High-Level Flow VM Provisioning in vRA User requests VM with required details (e.g., Environment, Owner, Application). Event Broker Subscription After provisioning, vRA triggers a vRO workflow . vRO Workflow Actions Connects to vCenter using REST API. Checks if Tag exists. If exists → Skip creation. If not exists → Create new Tag under category. Assigns Tag to the VM. Result VM is provisioned with the right tags automatically applied . Flow Diagram Steps Start VM Prov...
Read more