DigitalOcean

Report this

What is the reason for this report?
Question

Gitlab site says to configure Gitlab-CE installation, what can I do get back into my site?

Posted on February 13, 2018
Ubuntu 16.04
Git
linxsolaire

By linxsolaire

Hello,

I have a droplet set up for a while with Gitlab-CE from a one-click install. I believe Gitlab was at 9.2.5 when I created the droplet.

I have tried to keep the droplet up to date, but today I noticed that the site was not working. There was an error about unsecure connection. I have had this issue before, and it was easily fixed by updating my droplet. I went and did that but still could not get into my site.

I checked the Let’s Encrypt certificate to see if it needed to be renewed with sudo certbot renew --dry-run but that showed these errors:

Attempting to renew cert (gitlab.devplateau.com) from /etc/letsencrypt/renewal/gitlab.devplateau.com.conf produced an unexpected error: Failed authorization procedure. gitlab.devplateau.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gitlab.devplateau.com/.well-known/acme-challenge/HSNFfdwytBVlEdmalsrX1gGxfVn3WtNI0YK8Pm6JtPo: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gitlab.devplateau.com/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gitlab.devplateau.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: gitlab.devplateau.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gitlab.devplateau.com/.well-known/acme-challenge/HSNFfdwytBVlEdmalsrX1gGxfVn3WtNI0YK8Pm6JtPo:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I have made sure that the A record for gitlab.devplateau.com did not get removed somehow and it is still there. I even removed it and created it again just to be safe.

Can someone please help me get back into my Gitlab site? I have important code saved and would prefer not to have to start the server over.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Jason Peters
Jason Peters
February 15, 2018

That is quite alright.

If you would like to give it a shot. (backup your Gitlab configuration file)

This is how I run my Gitlab installation - non-bundled NGINX webserver

http://www.creativespacesbysherihannah.com/wp-sys/wp-content/uploads/staircase-before.jpg?TB_iframe=true&width=700&height=351

You will need to install NGINX

wget https://nginx.org/keys/nginx_signing.key -O - | sudo apt-key add -

echo "deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx" > /etc/apt/sources.list.d/nginx.list

apt-get -y update

apt-get -y install nginx

this will install NGINX Mainline

My NGINX configuration looks like this - replace YOUR_SERVER_FQN with your server domain

upstream gitlab-workhorse {
  server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}


server {

  listen 0.0.0.0:80;

  server_name YOUR_SERVER_FQN;
  server_tokens off;
  
  location / {
    return 301 https://$http_host$request_uri;    
  }
  
  # Letsencrypt Verification
  #
  location ~ /.well-known {
    root /usr/share/nginx/html;
    allow all;
  } 

  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

}


server {

  listen 0.0.0.0:443 ssl;

  server_name YOUR_SERVER_FQDN;
  server_tokens off;

  root /opt/gitlab/embedded/service/gitlab-rails/public; 

  ssl on;
  ssl_certificate /etc/letsencrypt/live/git.YOUR_SERVER_FQN/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/git.YOUR_SERVER_FQN/privkey.pem;
  
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ssl_prefer_server_ciphers on;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_ecdh_curve secp384r1;

  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
  
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  
  ssl_dhparam /etc/ssl/certs/dhparam.pem;  
  
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
    client_max_body_size 0;
    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://gitlab-workhorse;
  }

}
0
mrdevnet
mrdevnet
March 26, 2018

I have the same problem, But still can’t fix it. Are there any idea. Please help us. :(

0
Jason Peters
Jason Peters
February 13, 2018

Take a look at https://docs.gitlab.com/omnibus/settings/nginx.html#inserting-custom-nginx-settings-into-the-gitlab-server-block - add this to the server block

location ^~ /.well-known/acme-challenge/ {
  default_type "type/plain";
  root /tmp/letsencrypt;
}

issue this command mkdir /tmp/letsencrypt

Restart Gitlab and then try and renew the SSL

… or you can reconfigure gitlab to not use SSL

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.