<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Gitlab should be fixed now.<br>
      <br>
      I couldn't get Gitlabs built in letsencrypt support to work so I
      disabled it and setup certbot instead.  <br>
    </p>
    <div class="moz-cite-prefix">On 18/12/2019 6:16 pm, tec wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:bcd-5df9fc80-29-5cb41980@23329914">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div class="markdown-here-wrapper"
data-md-url="https://secure.ucc.asn.au/SOGo/so/tec/Mail/view#!/Mail/0/List%2520-%2520tech/21"
        style="">
        <p style="margin: 0px 0px 1.2em !important;">Also seems like if
          one moves past the ssl expiery (typing <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">thisisunsafe</code>
          at the page in chrome) there’s a now a 502 error :(</p>
        <p style="margin: 0px 0px 1.2em !important;">On Wednesday,
          December 18, 2019 18:07 AWST, “tec” <a
            href="http://mailto:tec@ucc.gu.uwa.edu.au"
            moz-do-not-send="true">tec@ucc.gu.uwa.edu.au</a> wrote:</p>
        <p style="margin: 0px 0px 1.2em !important;"> </p>
        <div class="markdown-here-exclude">
          <p> </p>
          <blockquote type="cite"
            cite="bce-5df9fa80-9b-4a950180@186370729"> </blockquote>
          <p> </p>
        </div>
        <p style="margin: 0px 0px 1.2em !important;"> </p>
        <p style="margin: 0px 0px 1.2em !important;">I’ve run <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl renew-le-certs</code>,
          got an error, <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code>,
          hit the same error</p>
        <pre style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;font-size: 1em; line-height: 1.2em;margin: 1.2em 0px;"><code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;white-space: pre; overflow: auto; border-radius: 3px; border: 1px solid rgb(204, 204, 204); padding: 0.5em 0.7em; display: block !important;">letsencrypt_certificate[gitlab.ucc.asn.au] (letsencrypt::http_authorization line 3) had an error: Acme::Client::Error::Unauthorized: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See <a class="moz-txt-link-freetext" href="https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430">https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430</a> for details.
</code></pre>
        <p style="margin: 0px 0px 1.2em !important;">I looked at <a
            href="https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614"
            moz-do-not-send="true">https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4614</a>,
          set <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">letsencrypt["enabled"] = false</code>,
          ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code>
          sucessfully, then enabled and re-ran. Same issue.<br>
          So, as a stop-gap type measure I’ve copied <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">fullchain.pem</code>
          from mooneye and added <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab_rails['env'] = {"SSL_CERT_FILE" =&gt; "/env/gitlab/fullchain-2019-12-u.pem"}</code>
          to the <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab.rb</code>
          file.<br>
          <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl reconfigure</code>
          ran sucessfully from that, so I then ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl upgrade</code>
          then <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl restart</code>
          (since the web server seemed down).</p>
        <p style="margin: 0px 0px 1.2em !important;">Unfortunately on
          visiting <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab.ucc.asn.au</code>
          the old certificate still seemed to be used, so I removed <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/opt/gitlab/embedded/nodes/gitlab.ucc.gu.uwa.edu.au.json</code>.
          Still didn’t work so I moved <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">fullchain-2019-12-u.pem</code>
          to <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/etc/gitlab/trusted-certs</code>
          and deleted <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/opt/gitlab/embedded/ssl/certs/cacert.pem</code>,
          then ran <code style="font-size: 0.85em; font-family: Consolas, Inconsolata, Courier, monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">gitlab-ctl restart</code>.</p>
        <p style="margin: 0px 0px 1.2em !important;">The old cert is
          still being provided. No clue why.</p>
        <p style="margin: 0px 0px 1.2em !important;">On Monday, December
          16, 2019 20:27 AWST, David Adam <a
            href="http://mailto:zanchey@ucc.gu.uwa.edu.au"
            moz-do-not-send="true">zanchey@ucc.gu.uwa.edu.au</a> wrote:</p>
        <p style="margin: 0px 0px 1.2em !important;"> </p>
        <div class="markdown-here-exclude">
          <p> </p>
          <blockquote type="cite"
            cite="alpine.DEB.2.20.1912162027420.8580@motsugo.ucc.gu.uwa.edu.au">On
            Sun, 8 Dec 2019, David Adam wrote:<br>
            <br>
            &gt; Cert Spotter is warning me that the SSL certificate for
            gitlab.ucc.asn.au<br>
            &gt; expires next week. The Let's Encrypt machinery should
            have renewed it by<br>
            &gt; now. Is someone able to take a look?<br>
            &gt;<br>
            &gt; From memory, I converted all machines including Gitlab
            to the official<br>
            &gt; certbot client (instead of using acmetool), so `certbot
            certificates`<br>
            &gt; might be a good command to start with.<br>
            &gt;<br>
            &gt; See also <a class="moz-txt-link-freetext" href="https://wiki.ucc.asn.au/SSLCertificates">https://wiki.ucc.asn.au/SSLCertificates</a> for
            how things should be<br>
            &gt; set up.<br>
            <br>
            This certificate has now expired.<br>
            <br>
            [DAA]<br>
            _______________________________________________<br>
            List Archives: <a class="moz-txt-link-freetext" href="http://lists.ucc.asn.au/pipermail/tech">http://lists.ucc.asn.au/pipermail/tech</a><br>
            <br>
            Unsubscribe here:
<a class="moz-txt-link-freetext" href="https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/tec%40ucc.gu.uwa.edu.au">https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/tec%40ucc.gu.uwa.edu.au</a></blockquote>
          <p> </p>
        </div>
        <p style="margin: 0px 0px 1.2em !important;"> </p>
        <div
title="MDH:QWxzbyBzZWVtcyBsaWtlIGlmIG9uZSBtb3ZlcyBwYXN0IHRoZSBzc2wgZXhwaWVyeSAodHlwaW5nIGB0aGlzaXN1bnNhZmVgIGF0IHRoZSBwYWdlIGluIGNocm9tZSkgdGhlcmUncyBhIG5vdyBhIDUw
MiBlcnJvciA6KDxicj48YnI+T24gV2VkbmVzZGF5LCBEZWNlbWJlciAxOCwgMjAxOSAxODowNyBB
V1NULCAidGVjIiAmbHQ7dGVjQHVjYy5ndS51d2EuZWR1LmF1Jmd0OyB3cm90ZTo8YnI+PGJyPjxi
bG9ja3F1b3RlIHR5cGU9ImNpdGUiIGNpdGU9ImJjZS01ZGY5ZmE4MC05Yi00YTk1MDE4MEAxODYz
NzA3MjkiPjxicj48L2Jsb2NrcXVvdGU+SSd2ZSBydW4gYGdpdGxhYi1jdGwgcmVuZXctbGUtY2Vy
dHNgLCBnb3QgYW4gZXJyb3IsIGBnaXRsYWItY3RsIHJlY29uZmlndXJlYCwgaGl0IHRoZSBzYW1l
IGVycm9yPGJyPmBgYDxicj5sZXRzZW5jcnlwdF9jZXJ0aWZpY2F0ZVtnaXRsYWIudWNjLmFzbi5h
dV0gKGxldHNlbmNyeXB0OjpodHRwX2F1dGhvcml6YXRpb24gbGluZSAzKSBoYWQgYW4gZXJyb3I6
IEFjbWU6OkNsaWVudDo6RXJyb3I6OlVuYXV0aG9yaXplZDogYWNtZV9jZXJ0aWZpY2F0ZVtzdGFn
aW5nXSAoL29wdC9naXRsYWIvZW1iZWRkZWQvY29va2Jvb2tzL2NhY2hlL2Nvb2tib29rcy9sZXRz
ZW5jcnlwdC9yZXNvdXJjZXMvY2VydGlmaWNhdGUucmIgbGluZSAyMCkgaGFkIGFuIGVycm9yOiBB
Y21lOjpDbGllbnQ6OkVycm9yOjpVbmF1dGhvcml6ZWQ6IEFjY291bnQgY3JlYXRpb24gb24gQUNN
RXYxIGlzIGRpc2FibGVkLiBQbGVhc2UgdXBncmFkZSB5b3VyIEFDTUUgY2xpZW50IHRvIGEgdmVy
c2lvbiB0aGF0IHN1cHBvcnRzIEFDTUV2MiAvIFJGQyA4NTU1LiBTZWUgaHR0cHM6Ly9jb21tdW5p
dHkubGV0c2VuY3J5cHQub3JnL3QvZW5kLW9mLWxpZmUtcGxhbi1mb3ItYWNtZXYxLzg4NDMwIGZv
ciBkZXRhaWxzLjxicj5gYGA8YnI+SSBsb29rZWQgYXQgaHR0cHM6Ly9naXRsYWIuY29tL2dpdGxh
Yi1vcmcvb21uaWJ1cy1naXRsYWIvaXNzdWVzLzQ2MTQsIHNldCBgbGV0c2VuY3J5cHRbImVuYWJs
ZWQiXSA9IGZhbHNlYCwgcmFuIGBnaXRsYWItY3RsIHJlY29uZmlndXJlYCBzdWNlc3NmdWxseSwg
dGhlbiBlbmFibGVkIGFuZCByZS1yYW4uIFNhbWUgaXNzdWUuPGJyPlNvLCBhcyBhIHN0b3AtZ2Fw
IHR5cGUgbWVhc3VyZSBJJ3ZlIGNvcGllZCBgZnVsbGNoYWluLnBlbWAgZnJvbSBtb29uZXllIGFu
ZCBhZGRlZCBgZ2l0bGFiX3JhaWxzWydlbnYnXSA9IHsiU1NMX0NFUlRfRklMRSIgPSZndDsgIi9l
bnYvZ2l0bGFiL2Z1bGxjaGFpbi0yMDE5LTEyLXUucGVtIn1gIHRvIHRoZSBgZ2l0bGFiLnJiYCBm
aWxlLjxicj5gZ2l0bGFiLWN0bCByZWNvbmZpZ3VyZWAgcmFuIHN1Y2Vzc2Z1bGx5IGZyb20gdGhh
dCwgc28gSSB0aGVuIHJhbiBgZ2l0bGFiLWN0bCB1cGdyYWRlYCB0aGVuIGBnaXRsYWItY3RsIHJl
c3RhcnRgIChzaW5jZSB0aGUgd2ViIHNlcnZlciBzZWVtZWQgZG93bikuPGJyPjxicj5VbmZvcnR1
bmF0ZWx5IG9uIHZpc2l0aW5nIGBnaXRsYWIudWNjLmFzbi5hdWAgdGhlIG9sZCBjZXJ0aWZpY2F0
ZSBzdGlsbCBzZWVtZWQgdG8gYmUgdXNlZCwgc28gSSByZW1vdmVkIGAvb3B0L2dpdGxhYi9lbWJl
ZGRlZC9ub2Rlcy9naXRsYWIudWNjLmd1LnV3YS5lZHUuYXUuanNvbmAuIFN0aWxsIGRpZG4ndCB3
b3JrIHNvIEkgbW92ZWQgYGZ1bGxjaGFpbi0yMDE5LTEyLXUucGVtYCB0byBgL2V0Yy9naXRsYWIv
dHJ1c3RlZC1jZXJ0c2AgYW5kIGRlbGV0ZWQgYC9vcHQvZ2l0bGFiL2VtYmVkZGVkL3NzbC9jZXJ0
cy9jYWNlcnQucGVtYCwgdGhlbiByYW4gYGdpdGxhYi1jdGwgcmVzdGFydGAuPGJyPjxicj5UaGUg
b2xkIGNlcnQgaXMgc3RpbGwgYmVpbmcgcHJvdmlkZWQuIE5vIGNsdWUgd2h5Ljxicj48YnI+T24g
TW9uZGF5LCBEZWNlbWJlciAxNiwgMjAxOSAyMDoyNyBBV1NULCBEYXZpZCBBZGFtICZsdDt6YW5j
aGV5QHVjYy5ndS51d2EuZWR1LmF1Jmd0OyB3cm90ZTo8YnI+PGJyPjxibG9ja3F1b3RlIHR5cGU9
ImNpdGUiIGNpdGU9ImFscGluZS5ERUIuMi4yMC4xOTEyMTYyMDI3NDIwLjg1ODBAbW90c3Vnby51
Y2MuZ3UudXdhLmVkdS5hdSI+T24gU3VuLCA4IERlYyAyMDE5LCBEYXZpZCBBZGFtIHdyb3RlOjxi
cj48YnI+Jmd0OyBDZXJ0IFNwb3R0ZXIgaXMgd2FybmluZyBtZSB0aGF0IHRoZSBTU0wgY2VydGlm
aWNhdGUgZm9yIGdpdGxhYi51Y2MuYXNuLmF1PGJyPiZndDsgZXhwaXJlcyBuZXh0IHdlZWsuIFRo
ZSBMZXQncyBFbmNyeXB0IG1hY2hpbmVyeSBzaG91bGQgaGF2ZSByZW5ld2VkIGl0IGJ5PGJyPiZn
dDsgbm93LiBJcyBzb21lb25lIGFibGUgdG8gdGFrZSBhIGxvb2s/PGJyPiZndDs8YnI+Jmd0OyBG
cm9tIG1lbW9yeSwgSSBjb252ZXJ0ZWQgYWxsIG1hY2hpbmVzIGluY2x1ZGluZyBHaXRsYWIgdG8g
dGhlIG9mZmljaWFsPGJyPiZndDsgY2VydGJvdCBjbGllbnQgKGluc3RlYWQgb2YgdXNpbmcgYWNt
ZXRvb2wpLCBzbyBgY2VydGJvdCBjZXJ0aWZpY2F0ZXNgPGJyPiZndDsgbWlnaHQgYmUgYSBnb29k
IGNvbW1hbmQgdG8gc3RhcnQgd2l0aC48YnI+Jmd0Ozxicj4mZ3Q7IFNlZSBhbHNvIGh0dHBzOi8v
d2lraS51Y2MuYXNuLmF1L1NTTENlcnRpZmljYXRlcyBmb3IgaG93IHRoaW5ncyBzaG91bGQgYmU8
YnI+Jmd0OyBzZXQgdXAuPGJyPjxicj5UaGlzIGNlcnRpZmljYXRlIGhhcyBub3cgZXhwaXJlZC48
YnI+PGJyPltEQUFdPGJyPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fPGJyPkxpc3QgQXJjaGl2ZXM6IGh0dHA6Ly9saXN0cy51Y2MuYXNuLmF1L3BpcGVybWFp
bC90ZWNoPGJyPjxicj5VbnN1YnNjcmliZSBoZXJlOiBodHRwczovL2xpc3RzLnVjYy5ndS51d2Eu
ZWR1LmF1L21haWxtYW4vb3B0aW9ucy90ZWNoL3RlYyU0MHVjYy5ndS51d2EuZWR1LmF1PC9ibG9j
          a3F1b3RlPjxicj48YnI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+"
style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0;">​</div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
List Archives: <a class="moz-txt-link-freetext" href="http://lists.ucc.asn.au/pipermail/tech">http://lists.ucc.asn.au/pipermail/tech</a>

Unsubscribe here: <a class="moz-txt-link-freetext" href="https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/coffee%40ucc.asn.au">https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/coffee%40ucc.asn.au</a></pre>
    </blockquote>
  </body>
</html>