Let's Encrypt with Docker for Windows fails
Summary
I've installed Docker for Windows, started GitLab, migrated Data from an existing GitLab instance and tried to start up with that data. When I change the URL to http and disable Let's Encrypt it works fine, but when I change the URL back to https and enable Let's Encrypt i get an error. The system is reachable via http/https/ssh from outside of the network. (Tested via LTE)
From the Windows Host itself it is possible to obtain a certificate from Let's Encrypt. (staging&production)
Steps to reproduce
- Download and Install Docker for Windows
- Create GitLab-Docker-Volumes:
docker volume create gitlab-config
docker volume create gitlab-logs
docker volume create gitlab-data
- Copy existing Backup with Let's Encrypt enabled to gitlab-data and restore it or configure GitLab to use https/Let's Encrypt.
- Start GitLab-Docker:
docker run -e DEBUG=true --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab --mount source=gitlab-config,target=/etc/gitlab --mount source=gitlab-logs,target=/var/log/gitlab --mount source=gitlab-data,target=/var/opt/gitlab gitlab/gitlab-ce:latest
What is the current bug behavior?
gitlab-reconfigure in Docker-Container crashes at startup, trying to obtain an Let's Encrypt-certificate. See Logs.
What is the expected correct behavior?
GitLab should obtain an Let's Encrypt-certificate, install it and start normally.
Relevant logs and/or screenshots
Recipe: letsencrypt::enable
* ruby_block[http external-url] action run
- execute the ruby block http external-url
* directory[/etc/gitlab/ssl] action create (up to date)
* acme_selfsigned[gitlab.example.com] action create
* file[gitlab.example.com SSL selfsigned key] action create_if_missing (up to date)
* file[gitlab.example.com SSL selfsigned crt] action create_if_missing (up to date)
* file[gitlab.example.com SSL selfsigned chain] action create_if_missing (skipped due to not_if)
(up to date)
Recipe: letsencrypt::http_authorization
* letsencrypt_certificate[gitlab.example.com] action create
* acme_certificate[staging] action create
* file[gitlab.example.com SSL key] action create_if_missing (up to date)
* directory[/var/opt/gitlab/nginx/www/.well-known/acme-challenge] action create (up to date)
* file[/var/opt/gitlab/nginx/www/.well-known/acme-challenge/2fEZuIyNYHNndO68sEdrw8JT0xp-NEUMhN1mcvtVEik] action create
- create new file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/2fEZuIyNYHNndO68sEdrw8JT0xp-NEUMhN1mcvtVEik
- update content in file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/2fEZuIyNYHNndO68sEdrw8JT0xp-NEUMhN1mcvtVEik from none to a2c9e4
--- /var/opt/gitlab/nginx/www/.well-known/acme-challenge/2fEZuIyNYHNndO68sEdrw8JT0xp-NEUMhN1mcvtVEik 2019-03-26 16:29:49.823066600 +0000
+++ /var/opt/gitlab/nginx/www/.well-known/acme-challenge/.chef-2fEZuIyNYHNndO68sEdrw8JT0xp-NEUMhN1mcvtVEik20190326-22-h6dfy4 2019-03-26 16:29:49.823066600 +0000
@@ -1 +1,2 @@
+2fEZuIyNYHNndO68sEdrw8JT0xp-NEUMhN1mcvtVEik.Lt1UsP7tGsl8ZPAqcIdAFjIDZZd7G982Yy4DqkxysTU
- change mode from '' to '0644'
- change owner from '' to 'root'
- change group from '' to 'root'
================================================================================
Error executing action `create` on resource 'acme_certificate[staging]'
================================================================================
Faraday::ConnectionFailed
-------------------------
end of file reached
Cookbook Trace:
---------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:74:in `acme_validate_immediately'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:90:in `block (2 levels) in class_from_file'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `map'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file'
Resource Declaration:
---------------------
suppressed sensitive resource output
Compiled Resource:
------------------
suppressed sensitive resource output
System Info:
------------
chef_version=13.6.4
platform=ubuntu
platform_version=16.04
ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
program_name=/opt/gitlab/embedded/bin/chef-client
executable=/opt/gitlab/embedded/bin/chef-client
================================================================================
Error executing action `create` on resource 'letsencrypt_certificate[gitlab.example.com]'
================================================================================
Faraday::ConnectionFailed
-------------------------
acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Faraday::ConnectionFailed: end of file reached
Cookbook Trace:
---------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:74:in `acme_validate_immediately'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:90:in `block (2 levels) in class_from_file'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `map'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file'
Resource Declaration:
---------------------
# In /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb
3: letsencrypt_certificate site do
4: fullchain node['gitlab']['nginx']['ssl_certificate']
5: key node['gitlab']['nginx']['ssl_certificate_key']
6: notifies :run, "execute[reload nginx]", :immediate
7: notifies :run, 'ruby_block[display_le_message]'
8: end
Compiled Resource:
------------------
# Declared in /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb:3:in `from_file'
letsencrypt_certificate("gitlab.example.com") do
action [:create]
updated true
updated_by_last_action true
default_guard_interpreter :default
declared_type :letsencrypt_certificate
cookbook_name "letsencrypt"
recipe_name "http_authorization"
fullchain "/etc/gitlab/ssl/gitlab.example.com.crt"
key "/etc/gitlab/ssl/gitlab.example.com.key"
alt_names []
cn "gitlab.example.com"
end
System Info:
------------
chef_version=13.6.4
platform=ubuntu
platform_version=16.04
ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
program_name=/opt/gitlab/embedded/bin/chef-client
executable=/opt/gitlab/embedded/bin/chef-client
The real domain name was replaced by gitlab.example.com.
Output of checks
No checks possible, because Docker-Container crashes at startup. When i disable https/letsencrypt, all gitlab:check commands do not report any problems.
Possible fixes
None