Provide basic ACME webroot support
If you want to use Let's Encrypt certificates, you have to pass a challenge. Most users will choose http-01 because the renewal process is easy and everything will be done on the webserver. For http-01 you need an HTTP server on port 80, which is the HTTP to HTTPS redirect server of gitlab. You have to modify the nginx configuration to use webroot/http-01.
This MR makes it possible to use the webroot method for gitlab and registry nginx!
How it works
First you have to enable both redirection server blocks with:
nginx['redirect_http_to_https'] = true
registry_nginx['redirect_http_to_https'] = true
In addition to that one has to insert a custom config line into these blocks with the (new) options ['redirect_http_to_https_custom_config']
:
nginx['redirect_http_to_https_custom_config'] = "location ^~ /.well-known { alias /srv/www/.certbot/.well-known; }"
registry_nginx['redirect_http_to_https_custom_config'] = "location ^~ /.well-known { alias /srv/www/.certbot/.well-known; }"
(/srv/www/.certbot
is the path which is used as webroot in ACME clients.)
Now you should be able to create your certificates with an ACME client (like certbot).
What is missing
One has to write a documentation which may be a bit longer than such a short summary.
Fixes #2221 (closed)