I am trying to secure a self-hosted GitLab solution using Cloudflare zero trust. I followed the [tutorial] https://developers.cloudflare.com/cloudflare-one/tutorials/gitlab but when adding the DNS record I get ‘This hostname is not covered by a certificate’. but I ignored it since the tutorial doesn’t mention anything about HTTPS, and it even configures it to work on HTTP and port 80. When I try entering my website after finishing the configuration I get ‘SSL_ERROR_NO_CYPHER_OVERLAP’ I tried multiple browsers and tried adding a let’s encrypt certificate but it didn’t help.
It sounds like you tried to put your GitLab on a second-level or deeper subdomain (i.e gitlab.internal.example.com) when the Universal SSL Cert (the one Cloudflare gives you for free) only covers first-level subdomains (like gitlab.example.com). You can get around this by purchasing Advanced Certificate Manager (ACM) and turning on Total TLS or issuing an Adv. Cert for that deeper subdomain, or just by moving your Gitlab to a 1st level subdomain like shown in the tutorial.
To explain why the article doesn’t mention anything about HTTPS:
Your tunnel, the cloudflared service connecting locally to Gitlab, is over HTTP. It then securely connects back to Cloudflare’s edge to proxy the connection, which is why HTTP is fine, since it’s local.
When you are connecting to your website over the Internet, you want HTTPS to encrypt your connection, so your connection looks a bit like this:
Browser ← HTTPS → Cloudflare ← Tunnel Connection (Secure) → cloudflared running on your server ← HTTP (Local only) → Gitlab
Additionally, any SSL Cert you install on your local web server will not matter as well, since only cloudflared is connecting locally and checking those.
You have Edge Certificates (served by Cloudflare and checked by browsers) and Origin Certificates (served by your origin, checked by Cloudflare), assuming proxy mode is enabled/using tunnels.
Browser ← Cloudflare (Edge Cert) → Origin (Origin Cert) or with tunnels, something like Browser → Cloudflare (Edge Cert) → Tunnel Connection (CF Managed Certs) → Cloudflared → Origin (Origin Cert)
TLDR: Move your Gitlab up to first-level subdomains, like the examples given in the tutorial. If that fails, check to make sure you have Universal SSL Enabled (SSL/TLS → Edge Certificates → Universal SSL)
1 Like
thank you for responding
well i use a 1st level subdomain gitlab…example.com
so i don’t need to enable ssl or certificates on my gitlab instance? and just issue the certificates from Cloudflare?
You don’t need to configure an SSL Cert on your Gitlab Instance if it’s only accessible through your Tunnel on the same machine.
Tunnels make a secure outbound connection to Cloudflare, and then the Tunnel Service running on your machine (cloudflared) connects to the configured service. If the configured service (Gitlab) is on the same machine as the tunnel service, then it’s all local and https isn’t needed.
If Cloudflare is telling you “The hostname is not covered by a certificate”, it’s telling you it doesn’t have an Edge Cert to serve for it, making it invalid. Ensure you have Universal SSL Enabled (SSL/TLS → Edge Certificates → Universal SSL), check you have a Universal SSL Cert issued for you (SSL/TLS → Edge Certificates), it should be “Active”, and double check it really is first level. If it’s on the first level of subdomains, in your DNS Records Tab, it should just show the record as “CNAME” “Gitlab” Content being {Tunnel-UUID}.cfargotunnel.com.
2 Likes