Question

Gitlab site says to configure Gitlab-CE installation, what can I do get back into my site?

Hello,

I have a droplet set up for a while with Gitlab-CE from a one-click install. I believe Gitlab was at 9.2.5 when I created the droplet.

I have tried to keep the droplet up to date, but today I noticed that the site was not working. There was an error about unsecure connection. I have had this issue before, and it was easily fixed by updating my droplet. I went and did that but still could not get into my site.

I checked the Let’s Encrypt certificate to see if it needed to be renewed with sudo certbot renew --dry-run but that showed these errors:

Attempting to renew cert (gitlab.devplateau.com) from /etc/letsencrypt/renewal/gitlab.devplateau.com.conf produced an unexpected error: Failed authorization procedure. gitlab.devplateau.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gitlab.devplateau.com/.well-known/acme-challenge/HSNFfdwytBVlEdmalsrX1gGxfVn3WtNI0YK8Pm6JtPo: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gitlab.devplateau.com/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gitlab.devplateau.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: gitlab.devplateau.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gitlab.devplateau.com/.well-known/acme-challenge/HSNFfdwytBVlEdmalsrX1gGxfVn3WtNI0YK8Pm6JtPo:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I have made sure that the A record for gitlab.devplateau.com did not get removed somehow and it is still there. I even removed it and created it again just to be safe.

Can someone please help me get back into my Gitlab site? I have important code saved and would prefer not to have to start the server over.

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I have the same problem, But still can’t fix it. Are there any idea. Please help us. :(

That is quite alright.

If you would like to give it a shot. (backup your Gitlab configuration file)

This is how I run my Gitlab installation - non-bundled NGINX webserver

http://www.creativespacesbysherihannah.com/wp-sys/wp-content/uploads/staircase-before.jpg?TB_iframe=true&width=700&height=351

You will need to install NGINX

wget https://nginx.org/keys/nginx_signing.key -O - | sudo apt-key add -

echo "deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx" > /etc/apt/sources.list.d/nginx.list

apt-get -y update

apt-get -y install nginx

this will install NGINX Mainline

My NGINX configuration looks like this - replace YOUR_SERVER_FQN with your server domain

upstream gitlab-workhorse {
  server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}


server {

  listen 0.0.0.0:80;

  server_name YOUR_SERVER_FQN;
  server_tokens off;
  
  location / {
    return 301 https://$http_host$request_uri;    
  }
  
  # Letsencrypt Verification
  #
  location ~ /.well-known {
    root /usr/share/nginx/html;
    allow all;
  } 

  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

}


server {

  listen 0.0.0.0:443 ssl;

  server_name YOUR_SERVER_FQDN;
  server_tokens off;

  root /opt/gitlab/embedded/service/gitlab-rails/public; 

  ssl on;
  ssl_certificate /etc/letsencrypt/live/git.YOUR_SERVER_FQN/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/git.YOUR_SERVER_FQN/privkey.pem;
  
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ssl_prefer_server_ciphers on;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_ecdh_curve secp384r1;

  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
  
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  
  ssl_dhparam /etc/ssl/certs/dhparam.pem;  
  
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
    client_max_body_size 0;
    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://gitlab-workhorse;
  }

}

Take a look at https://docs.gitlab.com/omnibus/settings/nginx.html#inserting-custom-nginx-settings-into-the-gitlab-server-block - add this to the server block

location ^~ /.well-known/acme-challenge/ {
  default_type "type/plain";
  root /tmp/letsencrypt;
}

issue this command mkdir /tmp/letsencrypt

Restart Gitlab and then try and renew the SSL

… or you can reconfigure gitlab to not use SSL