Aral Balkan

Mastodon icon RSS feed icon

Omnibus GitLab Let’s Encrypt renewal error and fix

I moved source.small-tech.org, our self-hosted GitLab instance, to Eclips.is a few months ago and noticed today that the Let’s Encrypt certificate had failed to renew.

When I looked on the server, the outdated Let’s Encrypt certificates were in /etc/gitlab/ssl as expected but, when I looked in the GitLab configuration file (/etc/gitlab/gitlab.rb), the Let’s Encrypt integration section was entirely commented out.

Having absolutely no memory of how I created the original certificates, I tried enabling those settings and reconfiguring GitLab (sudo gitlab-ctl reconfigure) and got the following errors:

Error executing action `run` on resource 'ruby_block[create certificate for source.small-tech.org]'

  RuntimeError
  ------------
  [source.small-tech.org] Validation failed, unable to request certificate

  Cookbook Trace:
  ---------------
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb:111:in `block (3 levels) in class_from_file'

Error executing action `create` on resource 'acme_certificate[staging]'

  RuntimeError
  ------------
  ruby_block[create certificate for source.small-tech.org] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [source.small-tech.org] Validation failed, unable to request certificate

  Cookbook Trace:
  ---------------
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb:111:in `block (3 levels) in class_from_file'

Error executing action `create` on resource 'letsencrypt_certificate[source.small-tech.org]'

    RuntimeError
    ------------
    acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 26) had an error: RuntimeError: ruby_block[create certificate for source.small-tech.org] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [source.small-tech.org] Validation failed, unable to request certificate

    Cookbook Trace:
    ---------------
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb:111:in `block (3 levels) in class_from_file'

There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[source.small-tech.org] (letsencrypt::http_authorization line 6) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 26) had an error: RuntimeError: ruby_block[create certificate for source.small-tech.org] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [source.small-tech.org] Validation failed, unable to request certificate

The fix

Going by what worked for someone else, I did the following:

  1. Deleted the /etc/gitlab/ssl directory.

  2. Enabled the following two properties in /etc/gitlab/gitlab.rb under the Let’s Encrypt integration section:

    letsencrypt['enable'] = true
letsencrypt['auto_renew'] = true

  3. Reconfigured GitLab:

    sudo gitlab-ctl reconfigure

And that seemed to fix things.

Documenting it here in hopes it might help somebody else (e.g., future me) ;)

Like this? Fund us!

Small Technology Foundation is a tiny, independent not-for-profit.

We exist in part thanks to patronage by people like you. If you share our vision and want to support our work, please become a patron or donate to us today and help us continue to exist.