<html><div class="markdown-here-wrapper" data-md-url="https://secure.ucc.asn.au/SOGo/so/tec/Mail/view#!/Mail/0/List%2520-%2520tech/21" style=""><p style="margin: 0px 0px 1.2em !important;">Also seems like if one moves past the ssl expiery (typing <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">thisisunsafe</code> at the page in chrome) there’s a now a 502 error :(</p><p style="margin: 0px 0px 1.2em !important;">On Wednesday, December 18, 2019 18:07 AWST, “tec” <a href="http://mailto:tec@ucc.gu.uwa.edu.au">tec@ucc.gu.uwa.edu.au</a> wrote:</p><p style="margin: 0px 0px 1.2em !important;"> </p><div class="markdown-here-exclude"><p> </p><blockquote type="cite" cite="bce-5df9fa80-9b-4a950180@186370729"> </blockquote><p> </p></div><p style="margin: 0px 0px 1.2em !important;"> </p><p style="margin: 0px 0px 1.2em !important;">I’ve run <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl renew-le-certs</code>, got an error, <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code>, hit the same error</p><pre style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;font-size: 1em; line-height: 1.2em;margin: 1.2em 0px;"><code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;white-space: pre; overflow: auto; border-radius: 3px; border: 1px solid rgb(204, 204, 204); padding: 0.5em 0.7em; display: block !important;">letsencrypt_certificate[gitlab.ucc.asn.au] (letsencrypt::http_authorization line 3) had an error: Acme::Client::Error::Unauthorized: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
</code></pre><p style="margin: 0px 0px 1.2em !important;">I looked at <a href="https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614">https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614</a>, set <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">letsencrypt["enabled"] = false</code>, ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code> sucessfully, then enabled and re-ran. Same issue.<br />So, as a stop-gap type measure I’ve copied <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">fullchain.pem</code> from mooneye and added <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab_rails['env'] = {"SSL_CERT_FILE" => "/env/gitlab/fullchain-2019-12-u.pem"}</code> to the <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab.rb</code> file.<br /><code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code> ran sucessfully from that, so I then ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl upgrade</code> then <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl restart</code> (since the web server seemed down).</p><p style="margin: 0px 0px 1.2em !important;">Unfortunately on visiting <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab.ucc.asn.au</code> the old certificate still seemed to be used, so I removed <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/opt/gitlab/embedded/nodes/gitlab.ucc.gu.uwa.edu.au.json</code>. Still didn’t work so I moved <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">fullchain-2019-12-u.pem</code> to <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/etc/gitlab/trusted-certs</code> and deleted <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/opt/gitlab/embedded/ssl/certs/cacert.pem</code>, then ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl restart</code>.</p><p style="margin: 0px 0px 1.2em !important;">The old cert is still being provided. No clue why.</p><p style="margin: 0px 0px 1.2em !important;">On Monday, December 16, 2019 20:27 AWST, David Adam <a href="http://mailto:zanchey@ucc.gu.uwa.edu.au">zanchey@ucc.gu.uwa.edu.au</a> wrote:</p><p style="margin: 0px 0px 1.2em !important;"> </p><div class="markdown-here-exclude"><p> </p><blockquote type="cite" cite="alpine.DEB.2.20.1912162027420.8580@motsugo.ucc.gu.uwa.edu.au">On Sun, 8 Dec 2019, David Adam wrote:<br /><br />> Cert Spotter is warning me that the SSL certificate for gitlab.ucc.asn.au<br />> expires next week. The Let's Encrypt machinery should have renewed it by<br />> now. Is someone able to take a look?<br />><br />> From memory, I converted all machines including Gitlab to the official<br />> certbot client (instead of using acmetool), so `certbot certificates`<br />> might be a good command to start with.<br />><br />> See also https://wiki.ucc.asn.au/SSLCertificates for how things should be<br />> set up.<br /><br />This certificate has now expired.<br /><br />[DAA]<br />_______________________________________________<br />List Archives: http://lists.ucc.asn.au/pipermail/tech<br /><br />Unsubscribe here: https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/tec%40ucc.gu.uwa.edu.au</blockquote><p> </p></div><p style="margin: 0px 0px 1.2em !important;"> </p><div title="MDH:QWxzbyBzZWVtcyBsaWtlIGlmIG9uZSBtb3ZlcyBwYXN0IHRoZSBzc2wgZXhwaWVyeSAodHlwaW5n
IGB0aGlzaXN1bnNhZmVgIGF0IHRoZSBwYWdlIGluIGNocm9tZSkgdGhlcmUncyBhIG5vdyBhIDUw
MiBlcnJvciA6KDxicj48YnI+T24gV2VkbmVzZGF5LCBEZWNlbWJlciAxOCwgMjAxOSAxODowNyBB
V1NULCAidGVjIiAmbHQ7dGVjQHVjYy5ndS51d2EuZWR1LmF1Jmd0OyB3cm90ZTo8YnI+PGJyPjxi
bG9ja3F1b3RlIHR5cGU9ImNpdGUiIGNpdGU9ImJjZS01ZGY5ZmE4MC05Yi00YTk1MDE4MEAxODYz
NzA3MjkiPjxicj48L2Jsb2NrcXVvdGU+SSd2ZSBydW4gYGdpdGxhYi1jdGwgcmVuZXctbGUtY2Vy
dHNgLCBnb3QgYW4gZXJyb3IsIGBnaXRsYWItY3RsIHJlY29uZmlndXJlYCwgaGl0IHRoZSBzYW1l
IGVycm9yPGJyPmBgYDxicj5sZXRzZW5jcnlwdF9jZXJ0aWZpY2F0ZVtnaXRsYWIudWNjLmFzbi5h
dV0gKGxldHNlbmNyeXB0OjpodHRwX2F1dGhvcml6YXRpb24gbGluZSAzKSBoYWQgYW4gZXJyb3I6
IEFjbWU6OkNsaWVudDo6RXJyb3I6OlVuYXV0aG9yaXplZDogYWNtZV9jZXJ0aWZpY2F0ZVtzdGFn
aW5nXSAoL29wdC9naXRsYWIvZW1iZWRkZWQvY29va2Jvb2tzL2NhY2hlL2Nvb2tib29rcy9sZXRz
ZW5jcnlwdC9yZXNvdXJjZXMvY2VydGlmaWNhdGUucmIgbGluZSAyMCkgaGFkIGFuIGVycm9yOiBB
Y21lOjpDbGllbnQ6OkVycm9yOjpVbmF1dGhvcml6ZWQ6IEFjY291bnQgY3JlYXRpb24gb24gQUNN
RXYxIGlzIGRpc2FibGVkLiBQbGVhc2UgdXBncmFkZSB5b3VyIEFDTUUgY2xpZW50IHRvIGEgdmVy
c2lvbiB0aGF0IHN1cHBvcnRzIEFDTUV2MiAvIFJGQyA4NTU1LiBTZWUgaHR0cHM6Ly9jb21tdW5p
dHkubGV0c2VuY3J5cHQub3JnL3QvZW5kLW9mLWxpZmUtcGxhbi1mb3ItYWNtZXYxLzg4NDMwIGZv
ciBkZXRhaWxzLjxicj5gYGA8YnI+SSBsb29rZWQgYXQgaHR0cHM6Ly9naXRsYWIuY29tL2dpdGxh
Yi1vcmcvb21uaWJ1cy1naXRsYWIvaXNzdWVzLzQ2MTQsIHNldCBgbGV0c2VuY3J5cHRbImVuYWJs
ZWQiXSA9IGZhbHNlYCwgcmFuIGBnaXRsYWItY3RsIHJlY29uZmlndXJlYCBzdWNlc3NmdWxseSwg
dGhlbiBlbmFibGVkIGFuZCByZS1yYW4uIFNhbWUgaXNzdWUuPGJyPlNvLCBhcyBhIHN0b3AtZ2Fw
IHR5cGUgbWVhc3VyZSBJJ3ZlIGNvcGllZCBgZnVsbGNoYWluLnBlbWAgZnJvbSBtb29uZXllIGFu
ZCBhZGRlZCBgZ2l0bGFiX3JhaWxzWydlbnYnXSA9IHsiU1NMX0NFUlRfRklMRSIgPSZndDsgIi9l
bnYvZ2l0bGFiL2Z1bGxjaGFpbi0yMDE5LTEyLXUucGVtIn1gIHRvIHRoZSBgZ2l0bGFiLnJiYCBm
aWxlLjxicj5gZ2l0bGFiLWN0bCByZWNvbmZpZ3VyZWAgcmFuIHN1Y2Vzc2Z1bGx5IGZyb20gdGhh
dCwgc28gSSB0aGVuIHJhbiBgZ2l0bGFiLWN0bCB1cGdyYWRlYCB0aGVuIGBnaXRsYWItY3RsIHJl
c3RhcnRgIChzaW5jZSB0aGUgd2ViIHNlcnZlciBzZWVtZWQgZG93bikuPGJyPjxicj5VbmZvcnR1
bmF0ZWx5IG9uIHZpc2l0aW5nIGBnaXRsYWIudWNjLmFzbi5hdWAgdGhlIG9sZCBjZXJ0aWZpY2F0
ZSBzdGlsbCBzZWVtZWQgdG8gYmUgdXNlZCwgc28gSSByZW1vdmVkIGAvb3B0L2dpdGxhYi9lbWJl
ZGRlZC9ub2Rlcy9naXRsYWIudWNjLmd1LnV3YS5lZHUuYXUuanNvbmAuIFN0aWxsIGRpZG4ndCB3
b3JrIHNvIEkgbW92ZWQgYGZ1bGxjaGFpbi0yMDE5LTEyLXUucGVtYCB0byBgL2V0Yy9naXRsYWIv
dHJ1c3RlZC1jZXJ0c2AgYW5kIGRlbGV0ZWQgYC9vcHQvZ2l0bGFiL2VtYmVkZGVkL3NzbC9jZXJ0
cy9jYWNlcnQucGVtYCwgdGhlbiByYW4gYGdpdGxhYi1jdGwgcmVzdGFydGAuPGJyPjxicj5UaGUg
b2xkIGNlcnQgaXMgc3RpbGwgYmVpbmcgcHJvdmlkZWQuIE5vIGNsdWUgd2h5Ljxicj48YnI+T24g
TW9uZGF5LCBEZWNlbWJlciAxNiwgMjAxOSAyMDoyNyBBV1NULCBEYXZpZCBBZGFtICZsdDt6YW5j
aGV5QHVjYy5ndS51d2EuZWR1LmF1Jmd0OyB3cm90ZTo8YnI+PGJyPjxibG9ja3F1b3RlIHR5cGU9
ImNpdGUiIGNpdGU9ImFscGluZS5ERUIuMi4yMC4xOTEyMTYyMDI3NDIwLjg1ODBAbW90c3Vnby51
Y2MuZ3UudXdhLmVkdS5hdSI+T24gU3VuLCA4IERlYyAyMDE5LCBEYXZpZCBBZGFtIHdyb3RlOjxi
cj48YnI+Jmd0OyBDZXJ0IFNwb3R0ZXIgaXMgd2FybmluZyBtZSB0aGF0IHRoZSBTU0wgY2VydGlm
aWNhdGUgZm9yIGdpdGxhYi51Y2MuYXNuLmF1PGJyPiZndDsgZXhwaXJlcyBuZXh0IHdlZWsuIFRo
ZSBMZXQncyBFbmNyeXB0IG1hY2hpbmVyeSBzaG91bGQgaGF2ZSByZW5ld2VkIGl0IGJ5PGJyPiZn
dDsgbm93LiBJcyBzb21lb25lIGFibGUgdG8gdGFrZSBhIGxvb2s/PGJyPiZndDs8YnI+Jmd0OyBG
cm9tIG1lbW9yeSwgSSBjb252ZXJ0ZWQgYWxsIG1hY2hpbmVzIGluY2x1ZGluZyBHaXRsYWIgdG8g
dGhlIG9mZmljaWFsPGJyPiZndDsgY2VydGJvdCBjbGllbnQgKGluc3RlYWQgb2YgdXNpbmcgYWNt
ZXRvb2wpLCBzbyBgY2VydGJvdCBjZXJ0aWZpY2F0ZXNgPGJyPiZndDsgbWlnaHQgYmUgYSBnb29k
IGNvbW1hbmQgdG8gc3RhcnQgd2l0aC48YnI+Jmd0Ozxicj4mZ3Q7IFNlZSBhbHNvIGh0dHBzOi8v
d2lraS51Y2MuYXNuLmF1L1NTTENlcnRpZmljYXRlcyBmb3IgaG93IHRoaW5ncyBzaG91bGQgYmU8
YnI+Jmd0OyBzZXQgdXAuPGJyPjxicj5UaGlzIGNlcnRpZmljYXRlIGhhcyBub3cgZXhwaXJlZC48
YnI+PGJyPltEQUFdPGJyPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fPGJyPkxpc3QgQXJjaGl2ZXM6IGh0dHA6Ly9saXN0cy51Y2MuYXNuLmF1L3BpcGVybWFp
bC90ZWNoPGJyPjxicj5VbnN1YnNjcmliZSBoZXJlOiBodHRwczovL2xpc3RzLnVjYy5ndS51d2Eu
ZWR1LmF1L21haWxtYW4vb3B0aW9ucy90ZWNoL3RlYyU0MHVjYy5ndS51d2EuZWR1LmF1PC9ibG9j
a3F1b3RlPjxicj48YnI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0;"></div></div></html>