Posted at

gitlabでLet's Encryptの証明書を更新しようとすると失敗する時にやった事


gitlabでLet's Encryptの証明書を更新しようとした

失敗する・・・

$ sudo gitlab-ctl renew-le-certs

Starting Chef Client, version 13.6.4
resolving cookbooks for run list: ["gitlab::letsencrypt_renew"]
Synchronizing Cookbooks:
- postgresql (0.1.0)
- redis (0.1.0)
- registry (0.1.0)
- consul (0.1.0)
- gitaly (0.1.0)
- letsencrypt (0.1.0)
- nginx (0.1.0)
- runit (4.3.0)
- crond (0.1.0)
- package (0.1.0)
- gitlab (0.0.1)
- mattermost (0.1.0)
- acme (3.1.0)
- compat_resource (12.19.1)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 14 resources
Recipe: letsencrypt::enable
* ruby_block[http external-url] action run (skipped due to only_if)
Recipe: <Dynamically Defined Resource>
* service[nginx] action nothing (skipped due to action :nothing)
Recipe: nginx::enable
* runit_service[nginx] action enable
* ruby_block[restart_service] action nothing (skipped due to action :nothing)
* ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
* ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
* directory[/opt/gitlab/sv/nginx] action create (up to date)
* template[/opt/gitlab/sv/nginx/run] action create (up to date)
* directory[/opt/gitlab/sv/nginx/log] action create (up to date)
* directory[/opt/gitlab/sv/nginx/log/main] action create (up to date)
* template[/opt/gitlab/sv/nginx/log/run] action create (up to date)
* template[/var/log/gitlab/nginx/config] action create (up to date)
* directory[/opt/gitlab/sv/nginx/env] action create (up to date)
* ruby_block[Delete unmanaged env files for nginx service] action run (skipped due to only_if)
* template[/opt/gitlab/sv/nginx/check] action create (skipped due to only_if)
* template[/opt/gitlab/sv/nginx/finish] action create (skipped due to only_if)
* directory[/opt/gitlab/sv/nginx/control] action create (up to date)
* link[/opt/gitlab/init/nginx] action create (up to date)
* file[/opt/gitlab/sv/nginx/down] action delete (up to date)
* directory[/opt/gitlab/service] action create (up to date)
* link[/opt/gitlab/service/nginx] action create (up to date)
* ruby_block[wait for nginx service socket] action run (skipped due to not_if)
(up to date)
* execute[reload nginx] action nothing (skipped due to action :nothing)
Recipe: letsencrypt::enable
* directory[/etc/gitlab/ssl] action create (up to date)
* acme_selfsigned[サイトドメイン] action create
* file[サイトドメイン SSL selfsigned key] action create_if_missing (up to date)
* file[サイトドメイン SSL selfsigned crt] action create_if_missing (up to date)
* file[サイトドメイン SSL selfsigned chain] action create_if_missing (skipped due to not_if)
(up to date)
Recipe: letsencrypt::http_authorization
* letsencrypt_certificate[サイトドメイン] action create
* acme_certificate[staging] action create
* file[サイトドメイン SSL key] action create_if_missing (up to date)

================================================================================
Error executing action `create` on resource 'acme_certificate[staging]'
================================================================================

Acme::Client::Error::Unauthorized
---------------------------------
No registration exists matching provided key

Cookbook Trace:
---------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:48:in `acme_authz_for'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:69:in `block (2 levels) in class_from_file'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `map'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file'

Resource Declaration:
---------------------
suppressed sensitive resource output

Compiled Resource:
------------------
suppressed sensitive resource output

System Info:
------------
chef_version=13.6.4
platform=ubuntu
platform_version=18.04
ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
program_name=/opt/gitlab/embedded/bin/chef-client
executable=/opt/gitlab/embedded/bin/chef-client

================================================================================
Error executing action `create` on resource 'letsencrypt_certificate[サイトドメイン]'
================================================================================

Acme::Client::Error::Unauthorized
---------------------------------
acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: No registration exists matching provided key

Cookbook Trace:
---------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:48:in `acme_authz_for'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:69:in `block (2 levels) in class_from_file'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `map'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/providers/certificate.rb:68:in `block in class_from_file'

Resource Declaration:
---------------------
# In /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb

3: letsencrypt_certificate site do
4: fullchain node['gitlab']['nginx']['ssl_certificate']
5: key node['gitlab']['nginx']['ssl_certificate_key']
6: notifies :run, "execute[reload nginx]", :immediate
7: notifies :run, 'ruby_block[display_le_message]'
8: end

Compiled Resource:
------------------
# Declared in /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb:3:in `from_file'

letsencrypt_certificate("サイトドメイン") do
action [:create]
default_guard_interpreter :default
declared_type :letsencrypt_certificate
cookbook_name "letsencrypt"
recipe_name "http_authorization"
fullchain "/etc/gitlab/ssl/サイトドメイン.crt"
key "/etc/gitlab/ssl/サイトドメイン.key"
alt_names []
cn "サイトドメイン"
end

System Info:
------------
chef_version=13.6.4
platform=ubuntu
platform_version=18.04
ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
program_name=/opt/gitlab/embedded/bin/chef-client
executable=/opt/gitlab/embedded/bin/chef-client

Running handlers:
Running handlers complete
Chef Client failed. 0 resources updated in 05 seconds
There was an error renewing Let's Encrypt certificates, please checkout the output


グーグル先生に頼る!

「Acme::Client::Error::Unauthorized」

https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4656

acmeをアップグレードする必要あるとのこと


アップグレードする

$ sudo gitlab-ctl upgrade

省略!!!

_______ __ __ __
/ ____(_) /_/ / ____ _/ /_
/ / __/ / __/ / / __ `/ __ \
/ /_/ / / /_/ /___/ /_/ / /_/ /
\____/_/\__/_____/\__,_/_.___/

Upgrade complete! If your GitLab server is misbehaving try running
sudo gitlab-ctl restart
before anything else.
If you need to roll back to the previous version you can use the database
backup made during the upgrade (scroll up for the filename).

途中で証明書の更新エラーは起きるものの、、、モジュールは更新できたみたい


再度、証明書を更新してみる

$ sudo gitlab-ctl renew-le-certs

今度はエラーなく成功しました。


念の為、最後にgitlabを再起動してみる

$ sudo gitlab-ctl restart

ok: run: alertmanager: (pid 15088) 0s
ok: run: crond: (pid 15114) 1s
ok: run: gitaly: (pid 15122) 0s
ok: run: gitlab-monitor: (pid 15142) 0s
ok: run: gitlab-workhorse: (pid 15150) 1s
ok: run: logrotate: (pid 15165) 0s
ok: run: nginx: (pid 15172) 1s
ok: run: node-exporter: (pid 15254) 0s
ok: run: postgres-exporter: (pid 15274) 0s
ok: run: postgresql: (pid 15283) 1s
ok: run: prometheus: (pid 15303) 0s
ok: run: redis: (pid 15314) 1s
ok: run: redis-exporter: (pid 15373) 0s
ok: run: sidekiq: (pid 15408) 0s
ok: run: unicorn: (pid 15420) 1s

無事、ブラウザからもアクセスできる様になりました。

良かった