gitlab letsencrypt http_authorization error

Mohammad Saberi picture Mohammad Saberi · Dec 8, 2019 · Viewed 7.7k times · Source

I've recently installed Gitlab CE on my Ubuntu server. My desired domain for running Gitlab is https://git.mydomain.com (This is a sample URL), so I prefered to use Lets Encrypt to enable SSL on the server. At the end of installation, I received this error:

Running handlers:
There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[git.mydomain.com] (letsencrypt::http_authorization line 5) had an error: Acme::Client::Error::Malformed: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: Acme::Client::Error::Malformed: Method not allowed

I've read many pages to find the solution, but none of them were not useful. May you help me to activate SSL on this Gitlab instance please?

Answer

VonC picture VonC · Dec 9, 2019

This is not a problem which would be limited to your case.

A recent Dec. 2019 gitlab-org/gitlab issue 38255 (now gitlab-org/omnibus-gitlab issue 4900 describes the same issue, for a lot of people.

For others who may face the same problem, you should comment out all the block mentioned by @Azylog , including the acme_certificate 'staging' and end lines

But it's a serious lack of conformity to the Let's Encrypt announcements. If method is not changed to POST-as-GET before November 1st, 2020, even the production certificate won't be issued and this workaround won't be any use.

This is related to ACME v2 - Scheduled deprecation of unauthenticated resource GETs, active from yesterday.

After Dec 4th, unauthenticated HTTP GET requests to ACME v2 resource URLs will return HTTP status code of 405 “method not allowed” and a body containing a JSON problem with type “urn:ietf:params:acme:error:malformed”.

POST-as-GET requests authenticated by a signature from an account other than the creating account will return an HTTP status code of 403 “forbidden” and a body containing a JSON problem with type “urn:ietf:params:acme:error:unauthorized”.

Note: unixcharles/acme-client 2.0.5 will use POST-as-GET, which should fix this issue.
The merge request 3782 shows the next version 12.6 of GitLab Omnibus will use acme-client 2.0.5.
This will be backported into the next releases of 12.2.x through 12.5.x


Current workaround, proposed by Ahmed Mo7eb :: أحمد محب:

  1. delete old certificate from ssl folder
  2. install Cerbot "manually" (#sudo certbot certonly -a manual) &
    (You must make port 80 and 443 available in firewall)
  3. write your Domain name in order
  4. go to: /var/opt/gitlab/nginx/www/.well-known/acme-challenge/
    "Create file with the name that appeared"
  5. press Enter
  6. Congratulation!

Update January 2020: this is supposed to work with GitLab 12.6.2.
No need to patch certificated.rb anymore.

The Mohammad Saberi adds in the comments (January 15th, more than a month later):

Finally, I could activate LetsEncrypt SSL on Gitlab 12.6.4, but with disabling staging part of certificate.rb.