[SAC] Mattermost/GitLab (was: replacing IRC with gitter)
Sandro Santilli
strk at kbt.io
Fri Sep 2 03:32:12 PDT 2016
On Fri, Sep 02, 2016 at 11:33:43AM +0200, Sandro Santilli wrote:
> On Fri, Sep 02, 2016 at 10:33:06AM +0200, Björn Harrtell wrote:
>
> > I've completed the setup and Mattermost seem to be ready for evaluation.
> > The URL to go to is https://mattermost.osgeo.kbt.io and login via GitLab
> > using OSGeo LDAP credentials should work.
>
> Two points from first impression:
>
> 1) SSL certificate needs to be a trusted one
I've taken care of this, your browser should now not complain
upon visiting https://mattermost.osgeo.kbt.io. Let me know if
it does.
Björn: this implied:
1) Configuring nginx to use /var/www/letsencrypt for /.well-known (gitlab.rb):
mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
2) Obtaining the certificate:
certbot certonly --webroot -d mattermost.osgeo.kbt.io --webroot-path=/var/www/letsencrypt/
3) Configuring nginx to use letsencrypt certificates (gitlab.rb):
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/mattermost.osgeo.kbt.io/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/mattermost.osgeo.kbt.io/privkey.pem"
Since I was at it, I also enforced redirection from http to https:
mattermost_nginx['redirect_http_to_https'] = true
This was done following this guide:
http://stackoverflow.com/questions/34189199/how-do-i-use-let-s-encrypt-with-gitlab
I did not touch the gitlab section (nginx['ssl_certificate_key']...)
as for now the browser hits the git.osgeo.org proxy first, so it doesn't
affect user experience.
Letsencrypt certificates expire every 3 months, I think.
Running 'certbot renew' periodically should take care of renewing.
I did not setup a cron job as the VPS might expire before the certificate.
--strk;
More information about the Sac
mailing list