Help :: Letsencrypt configuration behind my home NAT not succeeding

nmvega · March 18, 2020, 7:20pm

Hello Friends:

I’m setting up my own instance of GitLab CE at home using version gitlab-ce-12.8.7-ce.0.el7.x86_64. Once confident that I understand it well enough and have things sufficiently locked down, I’ll clone it onto some cloud vps provider.

I’m having trouble getting the letsencrypt component to successfully complete in this NAT scenario (which I’m sure others have tried).

Here is my error, followed by the setup actions I performed:

user$ sudo gitlab-ctl reconfigure

Error:

Running handlers:
There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[gitlab.example.com]
(letsencrypt::http_authorization line 5) had an error:

RuntimeError: acme_certificate[staging]
   (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/
    resources/certificate.rb line 25) had an error:

RuntimeError: ruby_block[create certificate for gitlab.example.com]
   (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/
    certificate.rb line 108) had an error: RuntimeError:
    [gitlab.example.com] Validation failed, unable to request certificate`

My Entries in /etc/gitlab/gitlab.rb:

user$ sudo egrep "letsencrypt|external_url '" /etc/gitlab/gitlab.rb 
external_url            'https://gitlab.example.com'
registry_external_url   'https://registry.gitlab.example.com'
mattermost_external_url 'https://mattermost.gitlab.example.com'
letsencrypt['enable']                  = true
letsencrypt['contact_emails']          = ['joe@gitlab.example.com', 'jane@gitlab.example.com']
letsencrypt['group']                   = 'root'
letsencrypt['key_size']                = 2048
letsencrypt['owner']                   = 'root'
letsencrypt['wwwroot']                 = '/var/opt/gitlab/nginx/www'
letsencrypt['auto_renew']              = true
letsencrypt['auto_renew_hour']         = 0
letsencrypt['auto_renew_minute']       = nil
letsencrypt['auto_renew_day_of_month'] = "*/4"

DNS and Port-Forwarding Setup:

I also have DNS A-Records for each of the three relevant domains above; all of which point to my ISP static IP address:

gitlab.example.com             --> My-ISP-Static-IP-Address
registry.gitlab.example.com    --> My-ISP-Static-IP-Address
mattermost.gitlab.example.com  --> My-ISP-Static-IP-Address

And finally, I have my WAN router port-forwarding requests to port 80 and 443 from that static ISP IP-Address to the IP-Address of my home GitLab server (which, just for completness, is 192.168.0.10 and with hostname vps10). FYI: The hostname of that home GitLab server is not gitlab.example.com; it is simply vps10, because it performs functions besides hosting GitLab. I don’t think it needs to be the same.

I’m a GitLab newbie and (while technical) I don’t understand the error message, or the error log messages. Can friends here help with I might have missed?

Thank you in advance!

nmvega · March 18, 2020, 11:57pm

I figured out the problem with the help of the guys over here:

My ISP is blocking port 80, and one of the moderators provided an alternate means for manually generating certificates in those cases.

Now I just need to figure out where to copy those manually generated certificates so it applies site-wide on my GitLab instance (not just on a per-project basis). Anyone know where? Likely under the nginx document root somewhere, but I’m not certain. Will tinker.