Blog Security GitLab and Let's Encrypt partner to improve website security
Published on September 29, 2022
5 min read

GitLab and Let's Encrypt partner to improve website security

Learn how to add a Let's Encrypt TLS certificate to a website hosted and managed via GitLab Pages.

container-security.jpg

Let's Encrypt, a free, automated, and open certificate authority, is integrated with GitLab to help DevOps teams encrypt web traffic and protect the confidentiality of information their users share with websites.

This article explains, step by step, how to add a Let's Encrypt Transport Layer Security (TLS) certificate to a website hosted and managed via GitLab Pages.

What is TLS?

TLS is a protocol designed to make the internet more secure. Now more than two decades old, TLS, which evolved from Secure Sockets Layer (SSL), helps ensure that when users connect to websites — and transmit potentially sensitive data to and from those websites — they are doing so over a secure connection.

It's an important protocol because internet connections aren't necessarily secure by default. Malicious actors can intervene in the internet connection made to retreive web pages, and then they can view or even manipulate the data traveling through that connection. To minimize the chance of that happening, DevOps teams need to enable a way to guarantee - to certify - that the connection is genuine and secure.

That's where TLS comes in.

How does TLS work?

TLS consists of several components, one of which is a digital certificate, the goal of which is to secure data flowing to and from a website and help users trust in the integrity and confidentiality of that data.

The website or domain controller can install that certificate on a web server so that a user visiting the site can view it and feel assured their connection to the website is secure. The controller will ask a certifying body — called a certificate authority, or CA — to electronically sign and verify the certificate to indicate that the person or organization has control over the domain. Users can then view the certificate's details to scrutinize the connection.

To do this, simply load any TLS-protected website in a browser ("https://" will appear in the URL where the "s" indicates a secure connection), and, typically, a "lock" icon in the browser's URL bar. Clicking on that lock reveals certificate details.

As long as users trust the body that issued the certificate, they can feel more confident their connection to the website is secure.

GitLab's website, indicating the secure connection by clicking on the lock icon in the URL bar

GitLab's website is delivered over a secure connection.

GitLab's website indicating the security certificate is valid in the lock icon on the URL browser bar

GitLab's website security certificate is valid.

Let's Encrypt and TLS certificates

Historically, obtaining TLS certificates was a complicated and costly endeavor.

Let's Encrypt formed in 2013 to ensure everyone had access to the benefits of encryption. Part of the nonprofit Internet Security Research Group, Let's Encrypt aims to simplify the process of issuing, installing, configuring, and managing TLS certificates. By doing so, it hopes to create an internet that is more privacy-respecting and secure.

Let's Encrypt is an open and secure certificate authority that makes the process of obtaining and applying TLS certificates easy, automated, and free for website administrators. GitLab's integration with Let's Encrypt enables anyone hosting a webpage using GitLab Pages to obtain and apply a TLS certificate with a single click.

Securing a website with GitLab Pages and Let's Encrypt

GitLab Pages allows anyone with a GitLab project to host and maintain a static website and, with the help of Let's Encrypt, do so securely.

To start, create a GitLab pages website:

You're now ready to add a TLS certificate to your site with Let's Encrypt.

  • Navigate to your project's Settings, then choose Pages.
  • Find the domain you want to secure and select Details.
  • Click Edit in the top-right corner to modify those details.
  • Click the switch to activate Automatic certificate management using Let's Encrypt.
  • Click Save to save your changes.

And that's it. Really.

The only thing left to do is wait. Obtaining a Let's Encrypt certificate for a website can take up to an hour. But once you've acquired one, you'll see the certificate information underneath the domain name listed in your Pages settings.

Additionally, you can enhance your website's security by forcing incoming traffic to connect to it securely. Just tick the box to enable "Force HTTPS".

Contributing to a more secure internet

The internet is an incredibly valuable tool, but with that value comes complexity. Let’s Encrypt provides digital certificates to more than 290 million websites, working to create an internet that is more secure and respectful of the privacy of its users.

At GitLab, we believe that everyone can contribute — and that includes contributing to a safer, more secure internet. By obtaining and setting up an TLS certificate, DevOps teams benefit from and contribute to the adoption of internet encryption. Internet security shouldn’t be difficult, and GitLab hopes that our integration with Let’s Encrypt supports a more secure internet for everyone.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert