Installing GitLab in AWS

June 14, 2021


GitLab EE 13.10 on an AWS EC2 CentOS instance. I wanted to have a site with a CA signed certificate and to use SSH for my git commands

Problem I ran into

  1. My install used a self-signed certificate instead of a Let’s Encrypt certificate.
  2. Permission denied (publickey,gssapi-keyex,gssapi-with-mic) when trying to git clone over ssh

Steps I followed

Solution (TL;DR)

1. Let’s Encrypt Certificate

  • In AWS Route 53, enable DNS forwarding from the subdomain and the domain to the server IP address
  • Enable ths server to accept incoming HTTP requests by updating the gitlab.rb file with

    nginx['redirect_http_to_https'] = true 
    nginx['redirect_http_to_https_port'] = 80

    2. SSH

  • Use the default key filename
  • or create a ~.ssh/config file to specifiy the IdentifyFile (key) to be used

What I learned

1. Let’s Encrypt Certificate

  • If GitLab’s Omnibus installer can’t obtain a cert from Let’s Encrypt, it generates a self-signed certs and places it in /etc/gitlab/ssl
  • When I enabled Let’s Encrypt in the /etc/gitlab/gitlab.rb file

    letsencrypt['enable'] = true 

    upon running gitlab-ctl reconfigure, it would fail with a Validation failed, unable to request certificate error

  • There are two causes

    • Let’s Encrypt needs to be able to reach not just the subdomain ( but als the domain ( I had DNS forwarding from to the AWS EC2 instance IP address but not from
    • Let’s Encrypt needs to be able to reach the domain via HTTP and HTTPS. I was not redirecting http to https

2. SSH

  • By running ssh -Tv, I could see that ssh was trying to match certificates from .ssh to the server. I noticed that it was looking for “default” certificate file names like idrsa, idrsa-cert, id_ed25519, etc…
  • As a test, I decided to rename my certifcate file to the default id_rsa and rerun ssh -Tv Result: Authentication succeeded (publickey).
  • In order to use a different name for the key, I followed the instructions to setup a .ssh/config file and I can now ssh using a ‘non-standard’ key filename

Resources that helped me figure this out

Profile picture

Written by Edmond Chan. A collection of simple answers that are sometimes hard to find.