[tech] gitlab.ucc's SSL certificate

Coffee coffee at ucc.asn.au
Thu Dec 19 15:22:33 AWST 2019 

Gitlab should be fixed now.

I couldn't get Gitlabs built in letsencrypt support to work so I 
disabled it and setup certbot instead.

On 18/12/2019 6:16 pm, tec wrote:
>
> Also seems like if one moves past the ssl expiery (typing 
> |thisisunsafe| at the page in chrome) there’s a now a 502 error :(
>
> On Wednesday, December 18, 2019 18:07 AWST, “tec” 
> tec at ucc.gu.uwa.edu.au <http://mailto:[email protected]> wrote:
>
> I’ve run |gitlab-ctl renew-le-certs|, got an error, |gitlab-ctl 
> reconfigure|, hit the same error
>
> |letsencrypt_certificate[gitlab.ucc.asn.au] 
> (letsencrypt::http_authorization line 3) had an error: 
> Acme::Client::Error::Unauthorized: acme_certificate[staging] 
> (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb 
> line 20) had an error: Acme::Client::Error::Unauthorized: Account 
> creation on ACMEv1 is disabled. Please upgrade your ACME client to a 
> version that supports ACMEv2 / RFC 8555. See 
> https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 
> for details. |
>
> I looked at https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614, 
> set |letsencrypt["enabled"] = false|, ran |gitlab-ctl reconfigure| 
> sucessfully, then enabled and re-ran. Same issue.
> So, as a stop-gap type measure I’ve copied |fullchain.pem| from 
> mooneye and added |gitlab_rails['env'] = {"SSL_CERT_FILE" => 
> "/env/gitlab/fullchain-2019-12-u.pem"}| to the |gitlab.rb| file.
> |gitlab-ctl reconfigure| ran sucessfully from that, so I then ran 
> |gitlab-ctl upgrade| then |gitlab-ctl restart| (since the web server 
> seemed down).
>
> Unfortunately on visiting |gitlab.ucc.asn.au| the old certificate 
> still seemed to be used, so I removed 
> |/opt/gitlab/embedded/nodes/gitlab.ucc.gu.uwa.edu.au.json|. Still 
> didn’t work so I moved |fullchain-2019-12-u.pem| to 
> |/etc/gitlab/trusted-certs| and deleted 
> |/opt/gitlab/embedded/ssl/certs/cacert.pem|, then ran |gitlab-ctl 
> restart|.
>
> The old cert is still being provided. No clue why.
>
> On Monday, December 16, 2019 20:27 AWST, David Adam 
> zanchey at ucc.gu.uwa.edu.au <http://mailto:[email protected]> wrote:
>
>> On Sun, 8 Dec 2019, David Adam wrote:
>>
>> > Cert Spotter is warning me that the SSL certificate for 
>> gitlab.ucc.asn.au
>> > expires next week. The Let's Encrypt machinery should have renewed 
>> it by
>> > now. Is someone able to take a look?
>> >
>> > From memory, I converted all machines including Gitlab to the official
>> > certbot client (instead of using acmetool), so `certbot certificates`
>> > might be a good command to start with.
>> >
>> > See also https://wiki.ucc.asn.au/SSLCertificates for how things 
>> should be
>> > set up.
>>
>> This certificate has now expired.
>>
>> [DAA]
>> _______________________________________________
>> List Archives: http://lists.ucc.asn.au/pipermail/tech
>>
>> Unsubscribe here: 
>> https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/tec%40ucc.gu.uwa.edu.au
>
>>
> _______________________________________________
> List Archives: http://lists.ucc.asn.au/pipermail/tech
>
> Unsubscribe here: https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/coffee%40ucc.asn.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20191219/86d28b6a/attachment.htm

More information about the tech mailing list