This page will summarize some notes to accompany the installation with Docker guide.

SSH and Git access

Gitlab will run its own SSH server (used for Git authentication). If you are running your container in a GCS instance, then you will need to expose the SSH server on a different port. For example:

sudo docker run --detach \
  # ...snip...
  --publish 443:443 --publish 80:80 --publish 50001:22 \
  # ...snip...

Then you need to change the port in gitlab.rb:

gitlab_rails['gitlab_shell_ssh_port'] = 50001

If you’re using GCS, create a firewall rule:

gcloud compute firewall-rules create allow-ssh-50001 --allow=tcp:50001

To test that it works, run ssh -p 50001 -Tv Finally, to ensure that Git uses the correct port, amend your .ssh/config like so:

    port 50001

To actually be able to perform any Git operations, upload your SSH key to the Gitlab instance.

Enabling HTTPS with Let’s Encrypt

Gitlab allows automatically provisioning a certificate. Just enable the settings in gitlab.rb:

letsencrypt['enable'] = true
# If you are using a self-signed certificate, you can also put an IP
# address instead of an FQDN here
external_url ''
letsencrypt['contact_emails'] = ['[email protected]']

You will need firewall rules for both port 80 and 443:

gcloud compute firewall-rules create allow-http --allow=tcp:80
gcloud compute firewall-rules create allow-https --allow=tcp:443
If you are using Cloudflare, ensure that you whitelist their IP’s. You may also need to disable “Full (Strict)” until your certificate is issued.

Temporarily clear any source range settings by appending --source-ranges= to the command. Otherwise, Let’s Encrypt will not be able to perform the challenge.

You can revoke any certificates by using certbot revoke --cert-path /path/to/key.pem. If you do not have access to the files stored by Gitlab, find your certificate at There should be an option to download the PEM file in the sidebar. Before you can revoke the certificate, you need to perform a validation:

# Since validation and issuance are done using the same command, we need to
# specify a non-existent subdomain to ensure the issuance fails.
certbot certonly --manual --preferred-challenges=dns -d -d