LetsEncrypt certificates fail in domain validation

Okay, I solved this myself by removing all nginx ssl path configurations and adding:

nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
4 Likes

Hello pmatos, I have exactly the same problem. Which nginx ssl path configurations did you remove to get it working?

I just had the same issue but with mattermost, I was able to fix it by commenting out

mattermost_nginx['redirect_http_to_https'] = true

and running reconfigure

2 Likes

I have the same question! What specific SSL configurations did you comment out?

I had the same issue, but, unfortunately, pmatos’s solution didn’t work for me. I’m using Gitlab from docker image gitlab/gitlab-ce:11.3.3-ce.0.

In my case the main reason of the error Validation failed for domain was the fact that during validation process certbot put special file to the directory /var/opt/gitlab/nginx/www/.well-known/acme-challenge/, in my case it was something like:

/var/opt/gitlab/nginx/www/.well-known/acme-challenge/V0kLCyM7gI7q5LNxir0iIL2dSM0RimDgx91MtuBgbf9

Then Letsencrypt trying to request the file http://example.com/.well-known/acme-challenge/V0kLCyM7gI7q5LNxir0iIL2dSM0RimDgx91MtuBgbf9, but in my case this file wasn’t accessible via http!

To solve this issue I added following line to the /etc/gitlab/gitlab.rb:

nginx['custom_gitlab_server_config'] = "location /.well-known/acme-challenge/ {\n root /var/opt/gitlab/nginx/www/; \n}\n"

This makes files in the directory /var/opt/gitlab/nginx/www/.well-known/acme-challenge/ accessible via http.

Also I had to temporary turn off https:

letsencrypt['enable'] = false

(with enabled letsecrypt my docker container couldn’t start, when container started without letsencrypt support, I turned this option back).

Also I removed all old certificates from /etc/gitlab/ssl/.

Then I started docker container and run:

gitlab-ctl renew-le-certs

New certificates successfully appeared in /etc/gitlab/ssl/. Then I run:

gitlab-ctl reconfigure

Eventually Gitlab started succssfully!

9 Likes

Thanks romka. This line fixed it for me too:

nginx['custom_gitlab_server_config'] = "location /.well-known/acme-challenge/ {\n root /var/opt/gitlab/nginx/www/; \n}\n"

I had the redirect_http_to_https settings enabled already and those alone didn’t fix it.

2 Likes

I can’t get any of this to work. I’m not sure but does my subdomain have to be available in DNS for letsencrypt to be able to verify it?

I’m pretty sure this is the dumbest of all solutions, but I simply forgot to turn off apache2 since it is blocking the port 80.

solved the issue for me,

letsencrypt['enable'] = true
letsencrypt['auto_renew'] = true
letsencrypt['auto_renew_hour'] = 0
letsencrypt['auto_renew_minute'] = 30
letsencrypt['auto_renew_day_of_month'] = "*/4"
nginx['custom_gitlab_server_config'] = "location /.well-known/acme-challenge/ {\n root /var/opt/gitlab/nginx/www/; \n}\n"
1 Like

Thx a lot mate :slight_smile:

Related to the port 80:

  • HTTP-01:
    “Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>
  • DNS-01:
    “This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.”

About the challenge types:

ACME client:

1 Like

Yet regarding the “DNS challenge” (DNS-01), I found this another topic: Validation Of Let's Encrypt - Help - Let's Encrypt Community Support

Needed to do this when upgrading to v12.0.0

It won’t validate for me. I’ve added a test.html file to the /var/opt/gitlab/nginx/www/.well-known/acme-challenge/ folder and can access it via:
http://gitlab.notarealdomain.comcom/.well-known/acme-challenge/test.html

I can’t access the random file letsencypt needs to access though because it gets deleted by the system automatically. It looks like it gets deleted before the validate runs? Would that be the cause? Here is the output:

  • file[/var/opt/gitlab/nginx/www/.well-known/acme-challenge/_KXmRB3XKk-aIs-Z98NZc_q2nNhLML-HDvADsPIn3vU] action delete
    - delete file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/_KXmRB3XKk-aIs-Z98NZc_q2nNhLML-HDvADsPIn3vU <— file gets delete there
    • ruby_block[create certificate for gitlab.notarealdomain.comcom] action run
      Error executing action run on resource ‘ruby_block[create certificate for gitlab.notarealdomain.comcom]’

      RuntimeError

      [gitlab.notarealdomain.comcom] Validation failed, unable to request certificate

Got a quite similar error.
It was my mistake, tho.
I’ve forgotten to change the external URL from http to httpS.

that’s precious advice. solved my issue after 3 hour struggle.

if anyone still has problem with letsencrypt certificates after gitlab update, I resolved the issue by including the custom_gitlab_server_config posted above AND removing current certs from /etc/gitlab/ssl/. gitlab-ctl reconfigure did run successfully after :grinning:

1 Like

I faced the similar problem/error.

@romka 's answer helped me.

Here are the detailed steps : https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4900#note_292031191

Roman! You’re helped me so much! I tried to solve it as long as it possible :frowning:
Thanks !

If someone still has this kind of problem, first you need to verify that the following properties are set correctly in /etc/gitlab/gitlab.rb:

  • use HTTPS on external_url 'https://yourdomain.com'
  • enable LetsEncrypt on letsencrypt['enable'] = true
  • set contact email for LetsEncrypt on letsencrypt['contact_emails'] = ['youremail@company.com']

Other properties can be set to its default

1 Like