Autorenewal Letsencrypt failed - couldn't get it work again


I received an email of Letsencrypt about my certificate for my GitLab server.
Now I was trying to renew it, but it keeps failing and I’m not very experienced so would like some help. :slight_smile:

This is in my /etc/gitlab/gitlab.rb file

    ## GitLab URL
    ##! URL on which GitLab will be reachable.
    ##! For more details on configuring external_url see:

    external_url 'https://gitlab.***.**'
    letsencrypt['enable'] = true
    letsencrypt['contact_emails'] = ['***']

    #registry_external_url "https://gitlab.***.**"

    letsencrypt['auto_renew'] = true

    letsencrypt['auto_renew_hour'] = "12"
    letsencrypt['auto_renew_minute'] = "00"
    letsencrypt['auto_renew_day_of_month'] = "*/7" 

I’ve also tried to add this line:

nginx['custom_gitlab_server_config'] = "location /.well-known/acme-challenge/ {\n root /var/opt/gitlab/nginx/www/; \n}\n"

I’ve tried to remove all files in /etcgitlab/ssl, but that didn’t help. A .crt, .key and .key-staging file are created every attempt again.

Running sudo gitlab-ctl reconfigure gives this error:

    Error executing action `create` on resource 'letsencrypt_certificate[gitlab.***.**]'

    acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: RuntimeError: [gitlab.***.**] Validation failed for domain gitlab.***.**

    Cookbook Trace:
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:93:in `block (2 levels) in class_from_file'
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `map'
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file'

    Resource Declaration:
    # In /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb

      3: letsencrypt_certificate site do
      4:   fullchain node['gitlab']['nginx']['ssl_certificate']
      5:   key node['gitlab']['nginx']['ssl_certificate_key']
      6:   notifies :run, "execute[reload nginx]", :immediate
      7:   notifies :run, 'ruby_block[display_le_message]'
      8: end

    Compiled Resource:
    # Declared in /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb:3:in `from_file'

    letsencrypt_certificate("gitlab.***.**") do
      action [:create]
      updated true
      updated_by_last_action true
      default_guard_interpreter :default
      declared_type :letsencrypt_certificate
      cookbook_name "letsencrypt"
      recipe_name "http_authorization"
      fullchain "/etc/gitlab/ssl/gitlab.***.**.crt"
      key "/etc/gitlab/ssl/gitlab.***.**.key"
      alt_names []
      cn "gitlab.***.**"

    System Info:
    ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]

Running handlers:
There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[gitlab.***.**] (letsencrypt::http_authorization line 3) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: RuntimeError: [gitlab.***.**] Validation failed for domain gitlab.***.**

Both port 80 and 443 are forwarded to my server. Could the problem be in being redirected to https for the control part of letsencrypt? Therefore I added the nginx line as noted above but I don’t know.



Could you try this: LetsEncrypt certificates fail in domain validation


I’ve already tried to add the nginx part to the configuration, but with no result. :frowning:


If you are using the HTTP-01 challenge type: LetsEncrypt certificates fail in domain validation