Can't get Lets Encrypt certificates

Hi there. I can’t seem to get the automated certificate issuing feature to work correctly. Despite all my efforts, I keep getting the following error:
`There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[xxxx.xxxx.com] (letsencrypt::http_authorization line 5) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: RuntimeError: ruby_block[create certificate for xxxx.xxxx.com] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [xxxx.xxxx.com] Validation failed, unable to request certificate`

I’ve already perused these issues:


And tried all the steps outlined in them, to no avail. I’ve tried to test whether port 80 is open by telnet-ing to it, which worked fine. I’m at a loss as to why this might be failing. This is a production install - I tested the omnibus installer on the same machine and it worked fine then, but when it came time to wipe and reinstall, I couldn’t get it to work. If anyone has any suggestions or information, it would be much appreciated.

I too am having this problem on first ever install of Gitlab in my environment which I began today. Fresh install of Omnibus on Ubuntu 18.04 LTS with ports 80 and 443 confirmed working on my firewall. I made sure that I can get to the .well_known folder from an outside computer using port 80 using a test file and that my firewall isn’t blocking anything. I don’t get it.

I ended up bypassing the issue by using certbot --webroot, turned off the default gitlab lets encrypt settings, then modified the ssl_certificate/key directives to point to the default letsencrypt certbot location.

Yes, I’m probably going to use acme.sh and bypass GitLab’s inbuilt letsencrypt because I need to set up some other subdomains also.

Hi vidurb,

For multiple hostnames, have a look at the alt_names setting:

# grep alt_names /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/attributes/default.rb
default['letsencrypt']['alt_names'] = []

It looks like you can set an array of hostnames to include with the certificate request; noting that if the sub-domain is different that verification may need to be performed for each sub-domain.