Docker based GitLab SSL renew

How to Use GitLab Self-managed
1

I’m using a docker based GitLab and everything was fine for a long time until now, when the SSL date ended. Usually I run docker exec gitlab-gitlab-1 gitlab-ctl reconfigure and the SSL was renewed. But this time I have an error:

Running handlers:
There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[nedotousal.beget.app] (letsencrypt::http_authorization line 6) had an error: KeyError: acme_certificate[staging] (letsencrypt::http_authorization line 43) had an error: KeyError: key not found: "token"

[2026-03-26T12:31:34+00:00] ERROR: Running exception handlers
Running handlers complete
[2026-03-26T12:31:34+00:00] ERROR: Exception handlers complete
Infra Phase failed. 0 resources updated in 23 seconds
[2026-03-26T12:31:34+00:00] FATAL: Stacktrace dumped to /opt/gitlab/embedded/cookbooks/cache/cinc-stacktrace.out
[2026-03-26T12:31:34+00:00] FATAL: ---------------------------------------------------------------------------------------
[2026-03-26T12:31:34+00:00] FATAL: PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT
[2026-03-26T12:31:34+00:00] FATAL: ---------------------------------------------------------------------------------------
[2026-03-26T12:31:34+00:00] FATAL: KeyError: letsencrypt_certificate[nedotousal.beget.app] (letsencrypt::http_authorization line 6) had an error: KeyError: acme_certificate[staging] (letsencrypt::http_authorization line 43) had an error: KeyError: key not found: "token"

Did anybody have such problem? How to solve it?

2

The error key not found: "token" means Let’s Encrypt’s ACME challenge couldn’t complete with HTTP. GitLab wrote the challenge file but never got a valid token response back, which usually means that port 80 is not reachable from the public internet.

Verify port 80 is reachable:

  1. From outside of the server, run curl against http://
curl -v http://gitlab.example.com/.well-known/acme-challenge/test
  1. The hosting provider might have firewall rules in place, too, that specifically block port 80.
  2. Confirm that docker-compose exposes port 80 in the ports section
3

I checked with

curl http://gitlab.example.com/.well-known/acme-challenge/test-file

and got 404. But there was a file named “test-file”. So I think that 80 port was available.

The solution for my problem was to create new certs with certbot from host machine, copy them to container and change paths in gitlab.rb. Also I disabled letsencrypt in giltab.