10.5 release and Let's Encrypt

bestouff · February 23, 2018, 2:44pm

Hi there,

I have tried Let’s Encrypt support in the latest 10.5 release, and it consistently fails when running reconfiguring or renewing certificates with:


- create new file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/3GB2l4IS[REDACTED]
- update content in file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/3GB2l4IS[REDACTED] from none to 7afb49
--- /var/opt/gitlab/nginx/www/.well-known/acme-challenge/3GB2l4IS[REDACTED] 2018-02-23 10:37:23.92874 +0100
+++ /var/opt/gitlab/nginx/www/.well-known/acme-challenge/.chef-3GB2l4IS[REDACTED] 2018-02-23 10:37:23.92874 +0100
@@ -1 +1,2 @@
+3GB2l4IS[REDACTED]
- change mode from '' to '0644'
- change owner from '' to 'root'
- change group from '' to 'root'
- restore selinux security context

================================================================================
Error executing action `create` on resource 'acme_certificate[staging]'
================================================================================

RuntimeError
------------
[gitlab.[REDACTED]] Validation failed for domain gitlab.[REDACTED]

Cookbook Trace:
---------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:93:in `block (2 levels) in class_from_file'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `map'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file'

My machine has a public IP accessible by DNS, on port 443 only. Is that part of the problem ?

hersoncruz · March 2, 2018, 9:59pm

+1 Having the same issue with an AWS instance.

bastianonm · March 5, 2018, 2:37pm

+1 same error
Let’s Encrypt is awesome! I how to make it works soon!
I have already installed a self signed certificate, maybe this might cause some issue

wprater · March 5, 2018, 2:52pm

I had the same issue. You should open up port 80 so the verification process can complete.

Magikon · March 12, 2018, 8:28am

+1 same error
port 80 is open, but the error still exists.

bestouff · March 13, 2018, 2:54pm

Yes now I have both ports 80 & 443 open, and letsencrypt still fails. Anyone from Gitlab to help ?

jeffreysmattson · March 18, 2018, 10:19pm

Run the gitlab-ctl reconfigure as root and all is well.

bestouff · March 19, 2018, 3:58am

Re-read the initial post. This happens when running gitlab-ctl reconfigure.

dleske · June 22, 2018, 5:08pm

I came here experiencing this issue. Tried a couple of different things, including the stuff here, remembered finally I hadn’t enabled port 80 traffic which I normally block, although it redirects to 443. Port 80 is required for the automatic renewal GitLab/LE use.

Once I enabled port 80 from the world I was able to renew finally. There is no indication of this in my error output, except the final error: Validation failed for domain git.d4.c3.ca, but in looking at the traceback leading to this, I have Error executing action 'create' on resource 'letsencrypt_certificate[git.d4.c3.ca]', so I was looking at filesystem space, permissions, etc.

Oh well. Hope this helps somebody else.

geoff-m · August 11, 2018, 4:12am

When you say you “enabled port 80”, are you talking about a firewall command, or something more (like a change to gitlab.rb)? I have port 80 open and it still doesn’t work. Did you have to disable https or something?