Fails to create new lets encrypt certificate - Error 404

All was going well but my certificate expired before I renewed and now I can’t renew and I think it is due to the https redirecting , been trying to turn that all temporary but am getting no where fast, I also thought that lets encrypt was set to be allowed to use http… help much appreciated

Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from

Here is the nginx file

upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;

Non-secure redirects to secure (except for LetsEncrypt)

server {
listen [::]:80 ipv6only=on;
server_tokens off;

Don’t show the nginx version number, a security best practice

Handle LetsEncrypt validation

location ~ /.well-known {
allow all;
root /usr/share/nginx/html;

location ~ /\.well-known/acme-challenge/  {
  allow all;
root /usr/share/nginx/html;


Redirect all other requests to secure

location / {
return 301 https://$http_host$request_uri;

Secure does all the real work

server {
listen ssl;
listen [::]:443 ssl ipv6only=on;
server_tokens off;

Strong SSL Security &

ssl on;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

Individual nginx logs for this GitLab vhost

access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;

location / {
client_max_body_size 0;
gzip off;

## Some requests take more than 30 seconds.
proxy_read_timeout      300;
proxy_connect_timeout   300;
proxy_redirect          off;
proxy_http_version 1.1;
proxy_set_header    Host      ;
proxy_set_header    X-Forwarded-Host    "";
proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-Ssl     on;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   $scheme;
proxy_pass http://gitlab-workhorse;


error_page 404 /404.html;
error_page 422 /422.html;
error_page 500 /500.html;
error_page 502 /502.html;
location ~ ^/(404|422|500|502).html$ {
root /opt/gitlab/embedded/service/gitlab-rails/public;

Also include LetsEncrypt on secure

location ~ /.well-known {
root /usr/share/nginx/html;

and my git.rb

nginx[‘enable’] = false

You don’t need any special configuration of gitlab_git_http_server

external_url ‘’ # No port number here, but with HTTPS
web_server[‘external_users’] = [‘nginx’]
gitlab_rails[‘trusted_proxies’] = [ ‘’, ‘’, ‘2001:0db8::/32’ ]

If I understood you correctly, the error could be related to Strict HTTP Transport. This is set in GitLab and basically means once a client accesses GitLab via HTTPS it can never downgrade to HTTP (prevents downgrading to HTTP for a MITM attack).

I’m not completely sure I’ve understood you correctly, though. Is this the problem you’ve been experiencing?

that sounds like it could be correct… I can now visit the site but have to agree to out of date certificate but I cannot get lets encypt to create new one due to 404.

Apologies I am still stuck does anyone have suggested steps to resolve this please ?

1 Like

I’m having the same problem. This is the most jacked up process I’ve ever seen. There is no logical way to activate Let’s Encrypt on a pages site that doesn’t already have a valid SSL certificate.