Renewing SSL certificate doesn't work ACME version 1 still active?

GitLab CI/CD
1

Hi so I am trying to upgrade our office gitlab server. However I run into the following issues.

I am on old gitlab version and I cannot normally upgrade to 12.

Currently I run:

Distributor ID: Debian
Description: Debian GNU/Linux 9.11 (stretch)
Release: 9.11
Codename: stretch

Gitlab 11.10.4

So simply renewing with gitlab-ctl (what I want to do now) gives me the following issues

There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[gitlab.mcs-nl.com] (letsencrypt::http_authorization line 3) had an error: Acme::Client::Error::Unauthorized: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See end-of-life-plan-for-acmev1/88430 for details.

gitlab-ctl renew-le-certs also gives me a comparable issue.

root@gitlab:~# gitlab-ctl renew-le-certs

Starting Chef Client, version 13.6.4
resolving cookbooks for run list: [“gitlab::letsencrypt_renew”]
Synchronizing Cookbooks:

  • gitlab (0.0.1)
  • package (0.1.0)
  • postgresql (0.1.0)
  • redis (0.1.0)
  • registry (0.1.0)
  • mattermost (0.1.0)
  • consul (0.1.0)
  • gitaly (0.1.0)
  • letsencrypt (0.1.0)
  • nginx (0.1.0)
  • runit (4.3.0)
  • acme (3.1.0)
  • crond (0.1.0)
  • compat_resource (12.19.1)
    Installing Cookbook Gems:
    Compiling Cookbooks…
    Converging 14 resources
    Recipe: letsencrypt::enable

  • ruby_block[http external-url] action run (skipped due to only_if)
    Recipe:

  • service[nginx] action nothing (skipped due to action :nothing)
    Recipe: nginx::enable

  • runit_service[nginx] action enable

    • ruby_block[restart_service] action nothing (skipped due to action :nothing)
    • ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
    • ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
    • directory[/opt/gitlab/sv/nginx] action create (up to date)
    • template[/opt/gitlab/sv/nginx/run] action create (up to date)
    • directory[/opt/gitlab/sv/nginx/log] action create (up to date)
    • directory[/opt/gitlab/sv/nginx/log/main] action create (up to date)
    • template[/opt/gitlab/sv/nginx/log/run] action create (up to date)
    • template[/var/log/gitlab/nginx/config] action create (up to date)
    • directory[/opt/gitlab/sv/nginx/env] action create (up to date)
    • ruby_block[Delete unmanaged env files for nginx service] action run (skipped due to only_if)
    • template[/opt/gitlab/sv/nginx/check] action create (skipped due to only_if)
    • template[/opt/gitlab/sv/nginx/finish] action create (skipped due to only_if)
    • directory[/opt/gitlab/sv/nginx/control] action create (up to date)
    • link[/opt/gitlab/init/nginx] action create (up to date)
    • file[/opt/gitlab/sv/nginx/down] action delete (up to date)
    • directory[/opt/gitlab/service] action create (up to date)
    • link[/opt/gitlab/service/nginx] action create (up to date)
    • ruby_block[wait for nginx service socket] action run (skipped due to not_if)
      (up to date)

  • execute[reload nginx] action nothing (skipped due to action :nothing)
    Recipe: letsencrypt::enable

  • directory[/etc/gitlab/ssl] action create (up to date)

  • acme_selfsigned[gitlab.mcs-nl.com] action create

    • file[gitlab.mcs-nl.com SSL selfsigned key] action create_if_missing (up to date)
    • file[gitlab.mcs-nl.com SSL selfsigned crt] action create_if_missing (up to date)
    • file[gitlab.mcs-nl.com SSL selfsigned chain] action create_if_missing (skipped due to not_if)
      (up to date)
      Recipe: letsencrypt::http_authorization

  • letsencrypt_certificate[gitlab.mcs-nl.com] action create

    • acme_certificate[staging] action create

      ================================================================================
      Error executing action create on resource ‘acme_certificate[staging]’

      Acme::Client::Error::Unauthorized

      Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. Seefe-plan-for-acmev1/88430 for details.

      Cookbook Trace:

      /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:39:in acme_client' /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:48:in acme_authz_for’
      /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:69:in block (2 levels) in class_from_file' /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in map’
      /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file’

      Resource Declaration:

      suppressed sensitive resource output

      Compiled Resource:

      suppressed sensitive resource output

      System Info:

      chef_version=13.6.4
      platform=debian
      platform_version=9.11
      ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
      program_name=/opt/gitlab/embedded/bin/chef-client
      executable=/opt/gitlab/embedded/bin/chef-client

    ================================================================================
    Error executing action create on resource ‘letsencrypt_certificate[gitlab.mcs-nl.com]’

    Acme::Client::Error::Unauthorized

    acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See /t/end-of-life-plan-for-acmev1/88430 for details.

    Cookbook Trace:

    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:39:in acme_client' /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:48:in acme_authz_for’
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:69:in block (2 levels) in class_from_file' /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in map’
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file’

    Resource Declaration:

    In /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb

    3: letsencrypt_certificate site do
    4: fullchain node[‘gitlab’][‘nginx’][‘ssl_certificate’]
    5: key node[‘gitlab’][‘nginx’][‘ssl_certificate_key’]
    6: notifies :run, “execute[reload nginx]”, :immediate
    7: notifies :run, ‘ruby_block[display_le_message]’
    8: end

    Compiled Resource:

    Declared in /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb:3:in `from_file’

    letsencrypt_certificate(“gitlab.mcs-nl.com”) do
    action [:create]
    default_guard_interpreter :default
    declared_type :letsencrypt_certificate
    cookbook_name “letsencrypt”
    recipe_name “http_authorization”
    fullchain “/etc/gitlab/ssl/gitlab.mcs-nl.com.crt”
    key “/etc/gitlab/ssl/gitlab.mcs-nl.com.key”
    alt_names
    cn “gitlab.mcs-nl.com
    end

    System Info:

    chef_version=13.6.4
    platform=debian
    platform_version=9.11
    ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
    program_name=/opt/gitlab/embedded/bin/chef-client
    executable=/opt/gitlab/embedded/bin/chef-client

Running handlers:
Running handlers complete
Chef Client failed. 0 resources updated in 08 seconds
There was an error renewing Let’s Encrypt certificates, please checkout the output

I tried to talk to acme2 letsencrypt api in ruby, didn’t help either.

(i adjusted some links, new users are limited to 10 urls per post)

2

So for one with a couple of weird steps I managed to update.

deleting the json file /opt/gitlab/embedded/nodes/gitlab.domain.domain.com

Then upgrading to 11.11.x

Now while running gitlab-ctl reconfigure i have the following issue.

letsencrypt_certificate[gitlab.mcs-nl.com] (letsencrypt::http_authorization line 5) had an error: 
RuntimeError: acme_certificate[staging] 
(/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had 
an error: RuntimeError: ruby_block[create certificate for gitlab.mcs-nl.com] 
(/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an 
error: RuntimeError: [gitlab.mcs-nl.com] Validation failed, unable to request certificate
3

Okay I fixed by upgrading to 11.11.latest.

Than removing the json file. again

apt-get gitlab-ce (this will get the latest version if it is put into repositaty)

than I could finally run gitlab-ctl renew-le-certs

And it’s online