<html><div class="markdown-here-wrapper" data-md-url="https://secure.ucc.asn.au/SOGo/so/tec/Mail/view#!/Mail/0/List%2520-%2520tech/18" style=""><p style="margin: 0px 0px 1.2em !important;">I’ve run <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl renew-le-certs</code>, got an error, <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code>, hit the same error</p><pre style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;font-size: 1em; line-height: 1.2em;margin: 1.2em 0px;"><code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;white-space: pre; overflow: auto; border-radius: 3px; border: 1px solid rgb(204, 204, 204); padding: 0.5em 0.7em; display: block !important;">letsencrypt_certificate[gitlab.ucc.asn.au] (letsencrypt::http_authorization line 3) had an error: Acme::Client::Error::Unauthorized: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
</code></pre><p style="margin: 0px 0px 1.2em !important;">I looked at <a href="https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614">https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614</a>, set <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">letsencrypt["enabled"] = false</code>, ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code> sucessfully, then enabled and re-ran. Same issue.<br />So, as a stop-gap type measure I’ve copied <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">fullchain.pem</code> from mooneye and added <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab_rails['env'] = {"SSL_CERT_FILE" => "/env/gitlab/fullchain-2019-12-u.pem"}</code> to the <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab.rb</code> file.<br /><code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code> ran sucessfully from that, so I then ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl upgrade</code> then <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl restart</code> (since the web server seemed down).</p><p style="margin: 0px 0px 1.2em !important;">Unfortunately on visiting <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab.ucc.asn.au</code> the old certificate still seemed to be used, so I removed <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/opt/gitlab/embedded/nodes/gitlab.ucc.gu.uwa.edu.au.json</code>. Still didn’t work so I moved <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">fullchain-2019-12-u.pem</code> to <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/etc/gitlab/trusted-certs</code> and deleted <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/opt/gitlab/embedded/ssl/certs/cacert.pem</code>, then ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl restart</code>.</p><p style="margin: 0px 0px 1.2em !important;">The old cert is still being provided. No clue why.</p><p style="margin: 0px 0px 1.2em !important;">On Monday, December 16, 2019 20:27 AWST, David Adam <a href="http://mailto:zanchey@ucc.gu.uwa.edu.au">zanchey@ucc.gu.uwa.edu.au</a> wrote:</p><p style="margin: 0px 0px 1.2em !important;"> </p><div class="markdown-here-exclude"><p> </p><blockquote type="cite" cite="alpine.DEB.2.20.1912162027420.8580@motsugo.ucc.gu.uwa.edu.au">On Sun, 8 Dec 2019, David Adam wrote:<br /><br />> Cert Spotter is warning me that the SSL certificate for gitlab.ucc.asn.au<br />> expires next week. The Let's Encrypt machinery should have renewed it by<br />> now. Is someone able to take a look?<br />><br />> From memory, I converted all machines including Gitlab to the official<br />> certbot client (instead of using acmetool), so `certbot certificates`<br />> might be a good command to start with.<br />><br />> See also https://wiki.ucc.asn.au/SSLCertificates for how things should be<br />> set up.<br /><br />This certificate has now expired.<br /><br />[DAA]<br />_______________________________________________<br />List Archives: http://lists.ucc.asn.au/pipermail/tech<br /><br />Unsubscribe here: https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/tec%40ucc.gu.uwa.edu.au</blockquote><p> </p></div><p style="margin: 0px 0px 1.2em !important;"> </p><div title="MDH:SSd2ZSBydW4gYGdpdGxhYi1jdGwgcmVuZXctbGUtY2VydHNgLCBnb3QgYW4gZXJyb3IsIGBnaXRs
YWItY3RsIHJlY29uZmlndXJlYCwgaGl0IHRoZSBzYW1lIGVycm9yPGJyPmBgYDxicj5sZXRzZW5j
cnlwdF9jZXJ0aWZpY2F0ZVtnaXRsYWIudWNjLmFzbi5hdV0gKGxldHNlbmNyeXB0OjpodHRwX2F1
dGhvcml6YXRpb24gbGluZSAzKSBoYWQgYW4gZXJyb3I6IEFjbWU6OkNsaWVudDo6RXJyb3I6OlVu
YXV0aG9yaXplZDogYWNtZV9jZXJ0aWZpY2F0ZVtzdGFnaW5nXSAoL29wdC9naXRsYWIvZW1iZWRk
ZWQvY29va2Jvb2tzL2NhY2hlL2Nvb2tib29rcy9sZXRzZW5jcnlwdC9yZXNvdXJjZXMvY2VydGlm
aWNhdGUucmIgbGluZSAyMCkgaGFkIGFuIGVycm9yOiBBY21lOjpDbGllbnQ6OkVycm9yOjpVbmF1
dGhvcml6ZWQ6IEFjY291bnQgY3JlYXRpb24gb24gQUNNRXYxIGlzIGRpc2FibGVkLiBQbGVhc2Ug
dXBncmFkZSB5b3VyIEFDTUUgY2xpZW50IHRvIGEgdmVyc2lvbiB0aGF0IHN1cHBvcnRzIEFDTUV2
MiAvIFJGQyA4NTU1LiBTZWUgaHR0cHM6Ly9jb21tdW5pdHkubGV0c2VuY3J5cHQub3JnL3QvZW5k
LW9mLWxpZmUtcGxhbi1mb3ItYWNtZXYxLzg4NDMwIGZvciBkZXRhaWxzLjxicj5gYGA8YnI+SSBs
b29rZWQgYXQgaHR0cHM6Ly9naXRsYWIuY29tL2dpdGxhYi1vcmcvb21uaWJ1cy1naXRsYWIvaXNz
dWVzLzQ2MTQsIHNldCBgbGV0c2VuY3J5cHRbImVuYWJsZWQiXSA9IGZhbHNlYCwgcmFuIGBnaXRs
YWItY3RsIHJlY29uZmlndXJlYCBzdWNlc3NmdWxseSwgdGhlbiBlbmFibGVkIGFuZCByZS1yYW4u
IFNhbWUgaXNzdWUuPGJyPlNvLCBhcyBhIHN0b3AtZ2FwIHR5cGUgbWVhc3VyZSBJJ3ZlIGNvcGll
ZCBgZnVsbGNoYWluLnBlbWAgZnJvbSBtb29uZXllIGFuZCBhZGRlZCBgZ2l0bGFiX3JhaWxzWydl
bnYnXSA9IHsiU1NMX0NFUlRfRklMRSIgPSZndDsgIi9lbnYvZ2l0bGFiL2Z1bGxjaGFpbi0yMDE5
LTEyLXUucGVtIn1gIHRvIHRoZSBgZ2l0bGFiLnJiYCBmaWxlLjxicj5gZ2l0bGFiLWN0bCByZWNv
bmZpZ3VyZWAgcmFuIHN1Y2Vzc2Z1bGx5IGZyb20gdGhhdCwgc28gSSB0aGVuIHJhbiBgZ2l0bGFi
LWN0bCB1cGdyYWRlYCB0aGVuIGBnaXRsYWItY3RsIHJlc3RhcnRgIChzaW5jZSB0aGUgd2ViIHNl
cnZlciBzZWVtZWQgZG93bikuPGJyPjxicj5VbmZvcnR1bmF0ZWx5IG9uIHZpc2l0aW5nIGBnaXRs
YWIudWNjLmFzbi5hdWAgdGhlIG9sZCBjZXJ0aWZpY2F0ZSBzdGlsbCBzZWVtZWQgdG8gYmUgdXNl
ZCwgc28gSSByZW1vdmVkIGAvb3B0L2dpdGxhYi9lbWJlZGRlZC9ub2Rlcy9naXRsYWIudWNjLmd1
LnV3YS5lZHUuYXUuanNvbmAuIFN0aWxsIGRpZG4ndCB3b3JrIHNvIEkgbW92ZWQgYGZ1bGxjaGFp
bi0yMDE5LTEyLXUucGVtYCB0byBgL2V0Yy9naXRsYWIvdHJ1c3RlZC1jZXJ0c2AgYW5kIGRlbGV0
ZWQgYC9vcHQvZ2l0bGFiL2VtYmVkZGVkL3NzbC9jZXJ0cy9jYWNlcnQucGVtYCwgdGhlbiByYW4g
YGdpdGxhYi1jdGwgcmVzdGFydGAuPGJyPjxicj5UaGUgb2xkIGNlcnQgaXMgc3RpbGwgYmVpbmcg
cHJvdmlkZWQuIE5vIGNsdWUgd2h5Ljxicj48YnI+T24gTW9uZGF5LCBEZWNlbWJlciAxNiwgMjAx
OSAyMDoyNyBBV1NULCBEYXZpZCBBZGFtICZsdDt6YW5jaGV5QHVjYy5ndS51d2EuZWR1LmF1Jmd0
OyB3cm90ZTo8YnI+PGJyPjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiIGNpdGU9ImFscGluZS5ERUIu
Mi4yMC4xOTEyMTYyMDI3NDIwLjg1ODBAbW90c3Vnby51Y2MuZ3UudXdhLmVkdS5hdSI+T24gU3Vu
LCA4IERlYyAyMDE5LCBEYXZpZCBBZGFtIHdyb3RlOjxicj48YnI+Jmd0OyBDZXJ0IFNwb3R0ZXIg
aXMgd2FybmluZyBtZSB0aGF0IHRoZSBTU0wgY2VydGlmaWNhdGUgZm9yIGdpdGxhYi51Y2MuYXNu
LmF1PGJyPiZndDsgZXhwaXJlcyBuZXh0IHdlZWsuIFRoZSBMZXQncyBFbmNyeXB0IG1hY2hpbmVy
eSBzaG91bGQgaGF2ZSByZW5ld2VkIGl0IGJ5PGJyPiZndDsgbm93LiBJcyBzb21lb25lIGFibGUg
dG8gdGFrZSBhIGxvb2s/PGJyPiZndDs8YnI+Jmd0OyBGcm9tIG1lbW9yeSwgSSBjb252ZXJ0ZWQg
YWxsIG1hY2hpbmVzIGluY2x1ZGluZyBHaXRsYWIgdG8gdGhlIG9mZmljaWFsPGJyPiZndDsgY2Vy
dGJvdCBjbGllbnQgKGluc3RlYWQgb2YgdXNpbmcgYWNtZXRvb2wpLCBzbyBgY2VydGJvdCBjZXJ0
aWZpY2F0ZXNgPGJyPiZndDsgbWlnaHQgYmUgYSBnb29kIGNvbW1hbmQgdG8gc3RhcnQgd2l0aC48
YnI+Jmd0Ozxicj4mZ3Q7IFNlZSBhbHNvIGh0dHBzOi8vd2lraS51Y2MuYXNuLmF1L1NTTENlcnRp
ZmljYXRlcyBmb3IgaG93IHRoaW5ncyBzaG91bGQgYmU8YnI+Jmd0OyBzZXQgdXAuPGJyPjxicj5U
aGlzIGNlcnRpZmljYXRlIGhhcyBub3cgZXhwaXJlZC48YnI+PGJyPltEQUFdPGJyPl9fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPkxpc3QgQXJjaGl2ZXM6
IGh0dHA6Ly9saXN0cy51Y2MuYXNuLmF1L3BpcGVybWFpbC90ZWNoPGJyPjxicj5VbnN1YnNjcmli
ZSBoZXJlOiBodHRwczovL2xpc3RzLnVjYy5ndS51d2EuZWR1LmF1L21haWxtYW4vb3B0aW9ucy90
ZWNoL3RlYyU0MHVjYy5ndS51d2EuZWR1LmF1PC9ibG9ja3F1b3RlPjxicj48YnI+PGJyPjxicj4=" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0;"></div></div></html>