Gitea SSL-Certificate

Install/Maintain/Configure
1

Hello I want to setup HTTPS for my Gitea-Service. But it doesn’t work.

So far I can get access to Gitea through my domain via DynDNS with HTTP. And everything works I think (didn’t wanted to type my password into not encrypted data transfer). But with HTTPS it doesn’t work and I think there is something what I didn’t think of.

Setup
Gitea installed on Ubuntu Server 20.04 (on Raspberry Pi 3B, if that could be important)

SSL-Certificates
I already created SSL-Certificates on my Ubuntu Server with OpenSSL.
My needs are satisfied by self-signed certificates, because it would be just for me. I just want the data to be transfered securely via HTTPS.

I edited the app.ini from gitea (/etc/gitea/app.ini) as following:

[server]
PROTOCOL            = https
ROOT_URL            = https://www.koenigsfeld.eu:3000/
HTTP_PORT           = 3000

CERT_FILE           = /etc/ssl/certs/self-signed.crt
KEY_FILE            = /etc/ssl/private/self-signed.key

REDIRECT_OTHER_PORT = true
PORT_TO_REDIRECT    = 3080

Router
In my Router I oppened Ports in HTTPS for Port 3000, 3080, 443
The port number 3000 is the port that gitea is listening to. Since I read everywhere that 443 seem to be the standard port for HTTPS I also opened that port. But nothing worked. Even when I exposed the device completely to the internet xD

Maybe I forgot to mention something basic. I am sorry if I seem like a beginner. That’s because I am a beginner. At least for SSL.

What I am doing:
I open [MyDomainAsHTTPS]:3000 and it works. Then I open [MyDomainAsHTTPS]:3000 and I get the error:
“Errorcode: SSL_ERROR_RX_RECORD_TOO_LONG”

2

I would not even expose port 3000 on the Gitea host, let alone the internet via your router. The same goes for port 3008.

Ideally, you want to be running a reverse proxy on the same host as your Gitea instance. You let the reverse proxy handle the TLS termination and then you don’t need TLS enabled directly on your gitea binary because it is only ever accessed locally on the same host.

3

I’ll echo this. I’ve got two different gitea installations (one personal, one for work) running with Apache running as a reverse proxy. This way I’m able to use LetsEncrypt certs and it automatically renews certificates automatically.

1 Like
4

Hmm, okay I added the entries for the server in the nginx.conf as described in the gitea tutorial. But I got still the same error: “SSL_ERROR_RX_RECORD_TOO_LONG”

How I understood it so far is, that nginx will do the TLS termination and will lead to my gitea instance, so I don’t have to manage anything with ports in my server at all, right?
But how should I have to handle the portforwarding in my router?

Do I have to forward them directly, like?
80 → 80 for HTTP
443 → 443 for HTTPS

You see I am totally new to this topic of SSL-Certificates, TLS and Reverse-Proxies xO Actually I have problems of understanding all layers from the firewall over the firewall of my server, which shouldn’t be edited now, since that is done by nginx. I think I have to read more about all these topics. I have a problem to get a overview and sort things. Hope this thread won’t be closed until I got it to work xO

5

If the topic does close, Discourse has an option to Reply as linked topic which will include a link back to the original topic from the new topic.

6

Ah okay cool. I will try my best to get into all that asap. I just needed a point to start my search for a solution from.