Hi so I am trying to upgrade our office gitlab server. However I run into the following issues.
I am on old gitlab version and I cannot normally upgrade to 12.
Currently I run:
Distributor ID: Debian
Description: Debian GNU/Linux 9.11 (stretch)
Release: 9.11
Codename: stretch
Gitlab 11.10.4
So simply renewing with gitlab-ctl (what I want to do now) gives me the following issues
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[gitlab.mcs-nl.com] (letsencrypt::http_authorization line 3) had an error: Acme::Client::Error::Unauthorized: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See end-of-life-plan-for-acmev1/88430 for details.
gitlab-ctl renew-le-certs also gives me a comparable issue.
root@gitlab:~# gitlab-ctl renew-le-certs
Starting Chef Client, version 13.6.4
resolving cookbooks for run list: [“gitlab::letsencrypt_renew”]
Synchronizing Cookbooks:
- gitlab (0.0.1)
- package (0.1.0)
- postgresql (0.1.0)
- redis (0.1.0)
- registry (0.1.0)
- mattermost (0.1.0)
- consul (0.1.0)
- gitaly (0.1.0)
- letsencrypt (0.1.0)
- nginx (0.1.0)
- runit (4.3.0)
- acme (3.1.0)
- crond (0.1.0)
- compat_resource (12.19.1)
Installing Cookbook Gems:
Compiling Cookbooks…
Converging 14 resources
Recipe: letsencrypt::enable
-
ruby_block[http external-url] action run (skipped due to only_if)
Recipe: -
service[nginx] action nothing (skipped due to action :nothing)
Recipe: nginx::enable -
runit_service[nginx] action enable
- ruby_block[restart_service] action nothing (skipped due to action :nothing)
- ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
- ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
- directory[/opt/gitlab/sv/nginx] action create (up to date)
- template[/opt/gitlab/sv/nginx/run] action create (up to date)
- directory[/opt/gitlab/sv/nginx/log] action create (up to date)
- directory[/opt/gitlab/sv/nginx/log/main] action create (up to date)
- template[/opt/gitlab/sv/nginx/log/run] action create (up to date)
- template[/var/log/gitlab/nginx/config] action create (up to date)
- directory[/opt/gitlab/sv/nginx/env] action create (up to date)
- ruby_block[Delete unmanaged env files for nginx service] action run (skipped due to only_if)
- template[/opt/gitlab/sv/nginx/check] action create (skipped due to only_if)
- template[/opt/gitlab/sv/nginx/finish] action create (skipped due to only_if)
- directory[/opt/gitlab/sv/nginx/control] action create (up to date)
- link[/opt/gitlab/init/nginx] action create (up to date)
- file[/opt/gitlab/sv/nginx/down] action delete (up to date)
- directory[/opt/gitlab/service] action create (up to date)
- link[/opt/gitlab/service/nginx] action create (up to date)
- ruby_block[wait for nginx service socket] action run (skipped due to not_if)
(up to date)
-
execute[reload nginx] action nothing (skipped due to action :nothing)
Recipe: letsencrypt::enable -
directory[/etc/gitlab/ssl] action create (up to date)
-
acme_selfsigned[gitlab.mcs-nl.com] action create
- file[gitlab.mcs-nl.com SSL selfsigned key] action create_if_missing (up to date)
- file[gitlab.mcs-nl.com SSL selfsigned crt] action create_if_missing (up to date)
- file[gitlab.mcs-nl.com SSL selfsigned chain] action create_if_missing (skipped due to not_if)
(up to date)
Recipe: letsencrypt::http_authorization
-
letsencrypt_certificate[gitlab.mcs-nl.com] action create
-
acme_certificate[staging] action create
- file[gitlab.mcs-nl.com SSL key] action create_if_missing (up to date)
================================================================================
Error executing actioncreate
on resource ‘acme_certificate[staging]’Acme::Client::Error::Unauthorized
Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. Seefe-plan-for-acmev1/88430 for details.
Cookbook Trace:
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:39:in
acme_client' /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:48:in
acme_authz_for’
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:69:inblock (2 levels) in class_from_file' /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in
map’
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file’Resource Declaration:
suppressed sensitive resource output
Compiled Resource:
suppressed sensitive resource output
System Info:
chef_version=13.6.4
platform=debian
platform_version=9.11
ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
program_name=/opt/gitlab/embedded/bin/chef-client
executable=/opt/gitlab/embedded/bin/chef-client
================================================================================
Error executing actioncreate
on resource ‘letsencrypt_certificate[gitlab.mcs-nl.com]’Acme::Client::Error::Unauthorized
acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See /t/end-of-life-plan-for-acmev1/88430 for details.
Cookbook Trace:
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:39:in
acme_client' /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:48:in
acme_authz_for’
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:69:inblock (2 levels) in class_from_file' /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in
map’
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file’Resource Declaration:
In /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb
3: letsencrypt_certificate site do
4: fullchain node[‘gitlab’][‘nginx’][‘ssl_certificate’]
5: key node[‘gitlab’][‘nginx’][‘ssl_certificate_key’]
6: notifies :run, “execute[reload nginx]”, :immediate
7: notifies :run, ‘ruby_block[display_le_message]’
8: endCompiled Resource:
Declared in /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb:3:in `from_file’
letsencrypt_certificate(“gitlab.mcs-nl.com”) do
action [:create]
default_guard_interpreter :default
declared_type :letsencrypt_certificate
cookbook_name “letsencrypt”
recipe_name “http_authorization”
fullchain “/etc/gitlab/ssl/gitlab.mcs-nl.com.crt”
key “/etc/gitlab/ssl/gitlab.mcs-nl.com.key”
alt_names
cn “gitlab.mcs-nl.com”
endSystem Info:
chef_version=13.6.4
platform=debian
platform_version=9.11
ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
program_name=/opt/gitlab/embedded/bin/chef-client
executable=/opt/gitlab/embedded/bin/chef-client -
Running handlers:
Running handlers complete
Chef Client failed. 0 resources updated in 08 seconds
There was an error renewing Let’s Encrypt certificates, please checkout the output
I tried to talk to acme2 letsencrypt api in ruby, didn’t help either.
(i adjusted some links, new users are limited to 10 urls per post)