[tech] gitlab.ucc's SSL certificate

tec tec at ucc.gu.uwa.edu.au
Wed Dec 18 18:07:57 AWST 2019 

I’ve run gitlab-ctl renew-le-certs, got an error, gitlab-ctl reconfigure, hit the same errorletsencrypt_certificate[gitlab.ucc.asn.au] (letsencrypt::http_authorization line 3) had an error: Acme::Client::Error::Unauthorized: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

I looked at https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614, set letsencrypt["enabled"] = false, ran gitlab-ctl reconfigure sucessfully, then enabled and re-ran. Same issue.
So, as a stop-gap type measure I’ve copied fullchain.pem from mooneye and added gitlab_rails['env'] = {"SSL_CERT_FILE" => "/env/gitlab/fullchain-2019-12-u.pem"} to the gitlab.rb file.
gitlab-ctl reconfigure ran sucessfully from that, so I then ran gitlab-ctl upgrade then gitlab-ctl restart (since the web server seemed down).
Unfortunately on visiting gitlab.ucc.asn.au the old certificate still seemed to be used, so I removed /opt/gitlab/embedded/nodes/gitlab.ucc.gu.uwa.edu.au.json. Still didn’t work so I moved fullchain-2019-12-u.pem to /etc/gitlab/trusted-certs and deleted /opt/gitlab/embedded/ssl/certs/cacert.pem, then ran gitlab-ctl restart.
The old cert is still being provided. No clue why.
On Monday, December 16, 2019 20:27 AWST, David Adam zanchey at ucc.gu.uwa.edu.au wrote:
 
 On Sun, 8 Dec 2019, David Adam wrote:

> Cert Spotter is warning me that the SSL certificate for gitlab.ucc.asn.au
> expires next week. The Let's Encrypt machinery should have renewed it by
> now. Is someone able to take a look?
>
> From memory, I converted all machines including Gitlab to the official
> certbot client (instead of using acmetool), so `certbot certificates`
> might be a good command to start with.
>
> See also https://wiki.ucc.asn.au/SSLCertificates for how things should be
> set up.

This certificate has now expired.

[DAA]
_______________________________________________
List Archives: http://lists.ucc.asn.au/pipermail/tech

Unsubscribe here: https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/tec%40ucc.gu.uwa.edu.au
 
 ​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20191218/efecf7e1/attachment.htm

More information about the tech mailing list