Can't obtain Let's Encrypt certificate
Summary
User created 2 domains: codearte.io
and www.codearte.io
and set "Auto SSL" for both of them:
I setting this to ~P3 ~S3 since this bug will automatically go away after 24 hours once order will expire.
Steps to reproduce
Not figured out yet, the problem might be caused by 2 domains added at the same time. But I(@vshushlin) don't understand how that might be a problem looking at code.
Example Project
What is the current bug behavior?
We can't obtain Let's Encrypt certificate because we serve wrong file content:
@error={"type"=>"urn:ietf:params:acme:error:unauthorized", "detail"=>"The key authorization file from the server did not match this challenge \"C0T8m9tDqt3f6MyvTIBgDgL4O2vQxNoGwuK-2Tii5_o.0o2gu9mwuzyyrCM1w3DpYnEv_ToHG0Bf2bHomR4QvCI\" != \"C0T8m9tDqt3f6MyvTIBgDgL4O2vQxNoGwuK-2Tii5_o.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\""
What is the expected correct behavior?
Serving the right challenge and successfully obtaining a certificate.
Relevant logs and/or screenshots
api_order = ::Gitlab::LetsEncrypt::Client.new.load_order(PagesDomain.find_by_domain('codearte.io').acme_orders.first.url)
api_order.status
=> "invalid"
api_order.send(:acme_order).authorizations.first.http.error
=> @error={"type"=>"urn:ietf:params:acme:error:unauthorized", "detail"=>"The key authorization file from the server did not match this challenge \"C0T8m9tDqt3f6MyvTIBgDgL4O2vQxNoGwuK-2Tii5_o.0o2gu9mwuzyyrCM1w3DpYnEv_ToHG0Bf2bHomR4QvCI\" != \"C0T8m9tDqt3f6MyvTIBgDgL4O2vQxNoGwuK-2Tii5_o.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\""
PagesDomain.find_by_domain('codearte.io').acme_orders.first.challenge_file_content
=> "C0T8m9tDqt3f6MyvTIBgDgL4O2vQxNoGwuK-2Tii5_o.0o2gu9mwuzyyrCM1w3DpYnEv_ToHG0Bf2bHomR4QvCI"
PagesDomain.find_by_domain('www.codearte.io').acme_orders.first.challenge_file_content
Traceback (most recent call last):
1: from (irb):2
NoMethodError (undefined method `challenge_file_content' for nil:NilClass)
api_order.send(:acme_order).authorizations.first.http.file_content
=> "C0T8m9tDqt3f6MyvTIBgDgL4O2vQxNoGwuK-2Tii5_o.0o2gu9mwuzyyrCM1w3DpYnEv_ToHG0Bf2bHomR4QvCI"
https://gitlab.com/-/acme-challenge?domain=codearte.io&token=C0T8m9tDqt3f6MyvTIBgDgL4O2vQxNoGwuK-2Tii5_o => C0T8m9tDqt3f6MyvTIBgDgL4O2vQxNoGwuK-2Tii5_o.0o2gu9mwuzyyrCM1w3DpYnEv_ToHG0Bf2bHomR4QvCI
From all the logs above we can only say that we are serving the right challenge right now.
Original thread: https://gitlab.com/gitlab-org/gitlab-ce/issues/64628#note_203969297
Output of checks
This bug happens on GitLab.com
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)