gitlab letsencrypt http_authorization 错误

gitlab letsencrypt http_authorization error

我最近在我的 Ubuntu 服务器上安装了 Gitlab CE。我想要的 运行 Gitlab 域是 https://git.mydomain.com(这是一个示例 URL),所以我更喜欢使用 Lets Encrypt 在服务器上启用 SSL。 安装结束时,我收到此错误:

Running handlers:
There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[git.mydomain.com] (letsencrypt::http_authorization line 5) had an error: Acme::Client::Error::Malformed: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: Acme::Client::Error::Malformed: Method not allowed

我已经阅读了很多页面来寻找解决方案,但其中 none 没有用。你能帮我在这个 Gitlab 实例上激活 SSL 吗?

这不是仅限于您的情况的问题。

最近的 2019 年 12 月 gitlab-org/gitlab issue 38255 (now gitlab-org/omnibus-gitlab issue 4900 描述了同样的问题,很多 的人。

For others who may face the same problem, you should comment out all the block mentioned by @Azylog , including the acme_certificate 'staging' and end lines

But it's a serious lack of conformity to the Let's Encrypt announcements. If method is not changed to POST-as-GET before November 1st, 2020, even the production certificate won't be issued and this workaround won't be any use.

这与 ACME v2 - Scheduled deprecation of unauthenticated resource GETs 有关,从昨天开始生效。

After Dec 4th, unauthenticated HTTP GET requests to ACME v2 resource URLs will return HTTP status code of 405 “method not allowed” and a body containing a JSON problem with type “urn:ietf:params:acme:error:malformed”.

POST-as-GET requests authenticated by a signature from an account other than the creating account will return an HTTP status code of 403 “forbidden” and a body containing a JSON problem with type “urn:ietf:params:acme:error:unauthorized”.

注意:unixcharles/acme-client 2.0.5 将使用 POST-as-GET,应该可以解决这个问题。
merge request 3782 显示 GitLab Omnibus 的下一个版本 12.6 将使用 acme-client 2.0.5。
This will be backported 到 12.2.x 到 12.5.x

的下一个版本

当前的解决方法,由Ahmed Mo7eb :: أحمد محب提出:

  1. delete old certificate from ssl folder
  2. install Cerbot "manually" (#sudo certbot certonly -a manual) &
    (You must make port 80 and 443 available in firewall)
  3. write your Domain name in order
  4. go to: /var/opt/gitlab/nginx/www/.well-known/acme-challenge/
    "Create file with the name that appeared"
  5. press Enter
  6. Congratulation!

Update January 2020:这应该适用于 GitLab 12.6.2。
不再需要修补 certificated.rb

Mohammad Saberi adds (1月15日,一个多月后):

Finally, I could activate LetsEncrypt SSL on Gitlab 12.6.4, but with disabling staging part of certificate.rb.

gitlab-issues:

中描述了解决方法

修改

/opt/gitlab/embedded/cookbooks/letsencrypt/resources/certificate.rb

并注释掉暂存部分(第 25 至 38 行)。

为我工作 (tm)。

我们遇到的问题不一样,但错误是一样的

(在我的例子中,letsencrypt 证书已过期并且 GitLab 12.2.5-ee.0 的续订流程中断。)

我们所做的是...

  • 升级到最新版本的Gitlab(当前稳定版本为:12.7.6-ee.0)
  • 编辑gitlab.rb
  • 删除旧证书
  • 重新配置 GitLab 服务器

我把详细步骤写在这里:https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4900#note_292031191