Skip to content

letsencrypt certificates are no longer obtained

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

I'm running GitLab-CE v17.9.2 (omnibus), on a Debian bookworm host.

the gitlab instance is available under git.example.com, whereas gitlab pages are served under *.example.io.

all traffic is forced to HTTPS, certificates are issued by letsencrypt. the default certificates (git.example.com, example.io, *.example.io) are obtained/refreshed outside of GitLab, using DNS-01 challenges via dehydrated (an ACME-client).

we've setup CAA records for both our main domain, and our pages domain:

$ dig +short caa example.com
0 iodef "mailto:admin@example.com"
128 issuewild "letsencrypt.org"
128 issue "letsencrypt.org"

$ dig +short caa example.io
128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/7600505"
0 iodef "mailto:admin@example.com"
128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/7600505"

This works nicely.

Some pages use custom domains (e.g. foo.example.com). For these domains, we use the GitLab/letsencrypt integration. The custom domains get an A record (rather than a CNAME record:

$ dig +short A foo.example.com foo.example.io git.example.com
192.0.2.5
example.io
192.0.2.5
192.0.2.2

Everything used to work nicely as well, until...

Recently (March 9 2025) i started to get errors like:

ACTION REQUIRED: Something went wrong while obtaining the Let's Encrypt certificate for GitLab Pages domain 'foo.example.com'

Checking the pages settings via https://git.example.com/foo/foo.example.io/pages/domains/foo.example.com , I see that my DNS verification is still correct (Verification status: Verified), but there is the generic error

Something went wrong while obtaining the Let's Encrypt certificate.

clicking Retry, it takes a couple of seconds until I get an email telling me that "Something went wrong while obtaining..."

i checked https://letsdebug.net/ to see if there appear to be any problems (using https://letsdebug.net/), but everything seems to be nice and green.

i'm lost on how to continue my search on what actually went wrong.

the certificates are expiring in about 3 weeks, so not all is lost yet, but things are getting urgent.

Edited by 🤖 GitLab Bot 🤖