10.5 release and Let's Encrypt

Hi there,

I have tried Let’s Encrypt support in the latest 10.5 release, and it consistently fails when running reconfiguring or renewing certificates with:

- create new file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/3GB2l4IS[REDACTED]
- update content in file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/3GB2l4IS[REDACTED] from none to 7afb49
--- /var/opt/gitlab/nginx/www/.well-known/acme-challenge/3GB2l4IS[REDACTED] 2018-02-23 10:37:23.92874 +0100
+++ /var/opt/gitlab/nginx/www/.well-known/acme-challenge/.chef-3GB2l4IS[REDACTED] 2018-02-23 10:37:23.92874 +0100
@@ -1 +1,2 @@
- change mode from '' to '0644'
- change owner from '' to 'root'
- change group from '' to 'root'
- restore selinux security context

Error executing action `create` on resource 'acme_certificate[staging]'

[gitlab.[REDACTED]] Validation failed for domain gitlab.[REDACTED]

Cookbook Trace:
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:93:in `block (2 levels) in class_from_file'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `map'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file'

My machine has a public IP accessible by DNS, on port 443 only. Is that part of the problem ?

+1 Having the same issue with an AWS instance.

+1 same error
Let’s Encrypt is awesome! I how to make it works soon!
I have already installed a self signed certificate, maybe this might cause some issue

I had the same issue. You should open up port 80 so the verification process can complete.

+1 same error
port 80 is open, but the error still exists.

Yes now I have both ports 80 & 443 open, and letsencrypt still fails. Anyone from Gitlab to help ?

Run the gitlab-ctl reconfigure as root and all is well.

Re-read the initial post. This happens when running gitlab-ctl reconfigure.

I came here experiencing this issue. Tried a couple of different things, including the stuff here, remembered finally I hadn’t enabled port 80 traffic which I normally block, although it redirects to 443. Port 80 is required for the automatic renewal GitLab/LE use.

Once I enabled port 80 from the world I was able to renew finally. There is no indication of this in my error output, except the final error: Validation failed for domain git.d4.c3.ca, but in looking at the traceback leading to this, I have Error executing action 'create' on resource 'letsencrypt_certificate[git.d4.c3.ca]', so I was looking at filesystem space, permissions, etc. :roll_eyes:

Oh well. Hope this helps somebody else.

When you say you “enabled port 80”, are you talking about a firewall command, or something more (like a change to gitlab.rb)? I have port 80 open and it still doesn’t work. Did you have to disable https or something?