Let's Encrypt fails on non-standard port with Validation failed for domain
Summary
Attempting to follow the new Let's Encrypt Integration outlined here - https://docs.gitlab.com/omnibus/settings/ssl.html#comment-3779747717 I found as I'm using a non-standard port (8181) that acme_certificate fails to be created due to a 'Validation failed for domain'.
Additional information from my original comment;
In my external_url within gitlab.rb I have this port specified;
external_url 'https://gitlab.domain.com:8181'
*domain.com isn't the actual one I'm just using it to hide for this discussion.Is it possible to configure the Let's Encrypt integration to use this port for it's validation.
The errors I'm getting; There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[gitlab.domain.com] (letsencrypt::http_authorization line 3) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: RuntimeError: [gitlab.domain.com] Validation failed for domain gitlab.domain.com
================================================================================ Error executing action
create
on resource 'acme_certificate[staging]'RuntimeError
[gitlab.domain.com] Validation failed for domain gitlab.domain.com Original Comment - https://docs.gitlab.com/omnibus/settings/ssl.html#comment-3777259580
Steps to reproduce
- Setup Gitlab CE to be accessible over a non-standard port. *For example have external_url in gitlab.rb set to 'http://gitlab.domain.com:8181'
- Following the Let's Encrypt Integration here - https://docs.gitlab.com/omnibus/settings/ssl.html#let-39-s-encrypt-integration
2.1 Update your external_url to specify https
2.2 Add the following to
/etc/gitlab/gitlab.rb
;
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['foo@email.com'] # Optional
2.3 Reconfigure/Renew Certs;
gitlab-ctl reconfigure
gitlab-ctl renew-le-certs
2.4 Is the cron setup but I never got this far as the reconfigure/renew errors out.
Example Project
This isn't applicable to gitlab.com and only available through hosted Gitlab CE
What is the current bug behavior?
When running the reconfigure/renew-le-certs I get the following errpr;
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[gitlab.domain.com] (letsencrypt::http_authorization line 3) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: RuntimeError: [gitlab.domain.com] Validation failed for domain gitlab.domain.com
================================================================================ Error executing action
create
on resource 'acme_certificate[staging]'RuntimeError
[gitlab.domain.com] Validation failed for domain gitlab.domain.com
What is the expected correct behavior?
I should get a successful Lets' Encrypt setup using the acme_certificate so should get the .pem files and .well-known/acme-challenge files.
Relevant logs and/or screenshots
I've made a gist for the output of reconfigure and renew-le-certs commands; https://gist.github.com/garrett-eclipse/b902b6fa75fc2d172c43ee0c9d495aac *Sorry i used Github :( we don't have secret snippet support yet on Gitlab for these.
Output of checks
This only occurs on Self-Hosted environments
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 16.04 Current User: git Using RVM: no Ruby Version: 2.3.6p384 Gem Version: 2.6.13 Bundler Version:1.13.7 Rake Version: 12.3.0 Redis Version: 3.2.11 Git Version: 2.14.3 Sidekiq Version:5.0.5 Go Version: unknown
GitLab information Version: 10.5.1 Revision: 21c2ffe Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: http://gitlab.eclipsecreative.ca:8181 HTTP Clone URL: http://gitlab.eclipsecreative.ca:8181/some-group/some-project.git SSH Clone URL: git@gitlab.eclipsecreative.ca:some-group/some-project.git Using LDAP: no Using Omniauth: no
GitLab Shell Version: 6.0.3 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab Shell ...
GitLab Shell version >= 6.0.3 ? ... OK (6.0.3) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 4/1 ... ok 4/2 ... ok 4/3 ... ok 4/4 ... ok 4/5 ... ok 4/6 ... ok 4/7 ... ok 5/8 ... ok 6/9 ... ok 8/12 ... ok 9/14 ... ok 11/15 ... ok 7/17 ... ok 7/18 ... ok 7/19 ... ok 12/20 ... ok 4/21 ... ok 4/22 ... ok 4/23 ... ok 4/24 ... ok 4/25 ... ok 13/26 ... ok 11/28 ... ok 14/29 ... ok 15/30 ... ok 10/31 ... ok 4/32 ... ok 16/34 ... ok 16/35 ... ok 16/36 ... ok 16/37 ... ok 16/38 ... ok 16/39 ... ok 8/40 ... ok 8/41 ... ok 8/42 ... ok 8/43 ... ok 8/44 ... ok 8/45 ... ok 17/46 ... ok 17/47 ... ok 18/48 ... ok 18/49 ... ok 19/50 ... ok 19/51 ... ok 20/52 ... ok 21/54 ... ok 8/55 ... ok 22/56 ... ok 22/57 ... ok 24/60 ... ok 24/61 ... ok 23/62 ... ok 11/63 ... ok 26/64 ... repository is empty 27/65 ... ok 8/66 ... ok 10/67 ... ok 28/68 ... ok 23/69 ... ok 29/70 ... ok 30/71 ... ok 31/72 ... ok 33/73 ... ok 16/74 ... ok 23/75 ... ok 23/76 ... ok 35/77 ... ok 23/78 ... ok 24/79 ... ok 36/80 ... ok 11/81 ... ok 37/82 ... ok 38/83 ... ok 33/84 ... ok 40/86 ... ok 39/87 ... ok 41/88 ... ok 42/89 ... ok 44/90 ... ok 42/91 ... ok 46/92 ... ok 47/93 ... ok 42/94 ... ok 48/95 ... ok 11/96 ... ok 46/97 ... ok 49/98 ... ok 42/100 ... ok 50/101 ... ok 49/102 ... ok 51/103 ... ok 4/104 ... ok 52/105 ... ok 53/106 ... ok 11/107 ... ok 55/108 ... ok 56/109 ... ok 57/111 ... ok 42/112 ... ok 58/113 ... ok 49/114 ... ok 59/115 ... ok 42/119 ... ok 60/120 ... ok 11/121 ... ok 11/123 ... ok 55/124 ... ok 49/125 ... ok 11/126 ... repository is empty 49/127 ... ok 61/128 ... ok 62/129 ... ok 11/131 ... ok 11/134 ... ok 63/135 ... ok 64/136 ... ok 66/137 ... ok 67/138 ... ok 68/139 ... ok 69/141 ... ok 70/142 ... repository is empty 71/143 ... repository is empty 66/146 ... ok 72/148 ... ok 37/150 ... ok 35/152 ... ok 73/153 ... ok 74/155 ... ok 11/156 ... ok 75/157 ... ok 76/158 ... ok 51/159 ... ok 77/160 ... ok 77/165 ... ok 75/166 ... ok 78/167 ... ok 78/168 ... ok 51/169 ... ok 73/170 ... ok 80/173 ... ok 81/174 ... ok 11/176 ... ok 44/177 ... ok 11/178 ... ok 82/179 ... ok 84/181 ... ok 85/182 ... ok 86/183 ... ok 88/184 ... ok 89/185 ... ok 86/186 ... ok 69/187 ... ok 61/188 ... ok 90/189 ... ok 10/191 ... ok 10/192 ... ok 10/193 ... ok 20/194 ... ok 55/196 ... ok 92/197 ... ok 92/198 ... ok 95/200 ... ok 96/201 ... ok 97/202 ... repository is empty 51/204 ... ok 99/205 ... ok 101/208 ... ok 102/209 ... ok 103/210 ... ok 104/211 ... ok 105/212 ... ok 100/213 ... ok 106/216 ... ok 107/217 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 4/1 ... yes 4/2 ... yes 4/3 ... yes 4/4 ... yes 4/5 ... yes 4/6 ... yes 4/7 ... yes 5/8 ... yes 6/9 ... yes 8/12 ... yes 9/14 ... yes 11/15 ... yes 7/17 ... yes 7/18 ... yes 7/19 ... yes 12/20 ... yes 4/21 ... yes 4/22 ... yes 4/23 ... yes 4/24 ... yes 4/25 ... yes 13/26 ... yes 11/28 ... yes 14/29 ... yes 15/30 ... yes 10/31 ... yes 4/32 ... yes 16/34 ... yes 16/35 ... yes 16/36 ... yes 16/37 ... yes 16/38 ... yes 16/39 ... yes 8/40 ... yes 8/41 ... yes 8/42 ... yes 8/43 ... yes 8/44 ... yes 8/45 ... yes 17/46 ... yes 17/47 ... yes 18/48 ... yes 18/49 ... yes 19/50 ... yes 19/51 ... yes 20/52 ... yes 21/54 ... yes 8/55 ... yes 22/56 ... yes 22/57 ... yes 24/60 ... yes 24/61 ... yes 23/62 ... yes 11/63 ... yes 26/64 ... yes 27/65 ... yes 8/66 ... yes 10/67 ... yes 28/68 ... yes 23/69 ... yes 29/70 ... yes 30/71 ... yes 31/72 ... yes 33/73 ... yes 16/74 ... yes 23/75 ... yes 23/76 ... yes 35/77 ... yes 23/78 ... yes 24/79 ... yes 36/80 ... yes 11/81 ... yes 37/82 ... yes 38/83 ... yes 33/84 ... yes 40/86 ... yes 39/87 ... yes 41/88 ... yes 42/89 ... yes 44/90 ... yes 42/91 ... yes 46/92 ... yes 47/93 ... yes 42/94 ... yes 48/95 ... yes 11/96 ... yes 46/97 ... yes 49/98 ... yes 42/100 ... yes 50/101 ... yes 49/102 ... yes 51/103 ... yes 4/104 ... yes 52/105 ... yes 53/106 ... yes 11/107 ... yes 55/108 ... yes 56/109 ... yes 57/111 ... yes 42/112 ... yes 58/113 ... yes 49/114 ... yes 59/115 ... yes 42/119 ... yes 60/120 ... yes 11/121 ... yes 11/123 ... yes 55/124 ... yes 49/125 ... yes 11/126 ... yes 49/127 ... yes 61/128 ... yes 62/129 ... yes 11/131 ... yes 11/134 ... yes 63/135 ... yes 64/136 ... yes 66/137 ... yes 67/138 ... yes 68/139 ... yes 69/141 ... yes 70/142 ... yes 71/143 ... yes 66/146 ... yes 72/148 ... yes 37/150 ... yes 35/152 ... yes 73/153 ... yes 74/155 ... yes 11/156 ... yes 75/157 ... yes 76/158 ... yes 51/159 ... yes 77/160 ... yes 77/165 ... yes 75/166 ... yes 78/167 ... yes 78/168 ... yes 51/169 ... yes 73/170 ... yes 80/173 ... yes 81/174 ... yes 11/176 ... yes 44/177 ... yes 11/178 ... yes 82/179 ... yes 84/181 ... yes 85/182 ... yes 86/183 ... yes 88/184 ... yes 89/185 ... yes 86/186 ... yes 69/187 ... yes 61/188 ... yes 90/189 ... yes 10/191 ... yes 10/192 ... yes 10/193 ... yes 20/194 ... yes 55/196 ... yes 92/197 ... yes 92/198 ... yes 95/200 ... yes 96/201 ... yes 97/202 ... yes 51/204 ... yes 99/205 ... yes 101/208 ... yes 102/209 ... yes 103/210 ... yes 104/211 ... yes 105/212 ... yes 100/213 ... yes 106/216 ... yes 107/217 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.3.6) Git version >= 2.9.5 ? ... yes (2.14.3) Git user has default SSH configuration? ... yes Active users: ... 6
Checking GitLab ... Finished
Possible fixes
I'm unsure of the core of this issue so have no idea how to fix.